unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#47144: security patching of 'patch' package
       [not found] <6d01d537754ce50b10035903d8e7d205699c4b39.camel@zaclys.net>
@ 2021-03-14 21:37 ` Mark H Weaver
  2021-03-15 18:26   ` bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes] Léo Le Bouter via Bug reports for GNU Guix
  2021-04-14 21:54   ` Leo Famulari
  0 siblings, 2 replies; 6+ messages in thread
From: Mark H Weaver @ 2021-03-14 21:37 UTC (permalink / raw)
  To: 47144

[-- Attachment #1: Type: text/plain, Size: 315 bytes --]

I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.

       Mark

-------------------- Start of forwarded message --------------------
Subject: security patching of 'patch' package
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Wed, 10 Mar 2021 04:14:35 +0100


[-- Attachment #2.1: Type: text/plain, Size: 614 bytes --]

Hello!

I could find that the 'patch' package was vulnerable to numerous CVEs
that other distros like Debian have patched. Here's the list reported
by 'guix lint -c cve patch':

patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
2018-6952

Can I use latest commit from master to build 'patch' then graft
original package?

i.e. https://git.savannah.gnu.org/git/patch.git

There's not that many commits since last release, but lots of time: 
https://git.savannah.gnu.org/cgit/patch.git/log/

Thank you,
Léo

[-- Attachment #2.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #3: Type: text/plain, Size: 67 bytes --]

-------------------- End of forwarded message --------------------

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].
  2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver
@ 2021-03-15 18:26   ` Léo Le Bouter via Bug reports for GNU Guix
  2021-03-15 18:26     ` bug#47144: [PATCH 1/1] " Léo Le Bouter via Bug reports for GNU Guix
  2021-04-14 21:54   ` Leo Famulari
  1 sibling, 1 reply; 6+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-15 18:26 UTC (permalink / raw)
  To: 47144; +Cc: Léo Le Bouter

I tried something, using patch git repo's master instead of release tarballs, I
am not sure the git repo contains all the fixes, we could alternatively just
pull patches from Debian.

This attempt does not work yet however, it fails on some gnulib source file not
being found for some reason:

gcc: error: parse-datetime.c: No such file or directory
gcc: fatal error: no input files
compilation terminated.

This file seems to be generated by YACC from earlier log.

Léo Le Bouter (1):
  gnu: patch: Update to 2.7.6-7623b2d [security fixes].

 gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

-- 
2.30.2





^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#47144: [PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].
  2021-03-15 18:26   ` bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes] Léo Le Bouter via Bug reports for GNU Guix
@ 2021-03-15 18:26     ` Léo Le Bouter via Bug reports for GNU Guix
  2021-03-18 21:58       ` Ludovic Courtès
  0 siblings, 1 reply; 6+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-15 18:26 UTC (permalink / raw)
  To: 47144; +Cc: Léo Le Bouter

* gnu/packages/base.scm (patch/fixed): New variable.
(patch)[replacement]: Graft.
---
 gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 9aa69cfe77..a71b47ac4f 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -46,12 +46,14 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages linux)
+  #:use-module (gnu packages autotools)
   #:use-module (gnu packages pcre)
   #:use-module (gnu packages texinfo)
   #:use-module (gnu packages hurd)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
+  #:use-module (gnu packages version-control)
   #:use-module (guix i18n)
   #:use-module (guix utils)
   #:use-module (guix packages)
@@ -228,6 +230,7 @@ standard utility.")
                (base32
                 "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
               (patches (search-patches "patch-hurd-path-max.patch"))))
+   (replacement patch/fixed)
    (build-system gnu-build-system)
    (arguments
     ;; Work around a cross-compilation bug whereby libpatch.a would provide
@@ -246,6 +249,42 @@ differences.")
    (license gpl3+)
    (home-page "https://savannah.gnu.org/projects/patch/")))
 
+(define patch/fixed
+  (let ((commit "7623b2dc0d1837ecfd58f32efc78e35834deeb38"))
+    (package/inherit patch
+      (name "patch")
+      (version "2.7.6")
+      ;; (version (string-append "2.7.6-" (string-take commit 7)))
+      (source
+       (origin
+         (method git-fetch)
+         (uri (git-reference
+               (url "https://git.savannah.gnu.org/git/patch.git")
+               (commit commit)
+               (recursive? #t)))
+         (file-name (git-file-name name version))
+         (sha256
+          (base32
+           "0k3i95gkbi21lipadlg1zd03d928b65x322q08xgdg461vnw2i6h"))
+         (patches (search-patches "patch-hurd-path-max.patch"))))
+      (arguments
+       (substitute-keyword-arguments (package-arguments patch)
+         ((#:phases phases '%standard-phases)
+           `(modify-phases ,phases
+             (replace 'bootstrap
+               (lambda* (#:key inputs #:allow-other-keys)
+                 (substitute* (list "gnulib/gnulib-tool"
+                                    "gnulib/build-aux/git-version-gen")
+                   (("/bin/sh") (which "sh")))
+                 (invoke "bash" "bootstrap" "--no-git"
+                         "--gnulib-srcdir=gnulib")
+                 #t))))))
+      (native-inputs
+       `(("autoconf" ,autoconf)
+         ("automake" ,automake)
+         ("git" ,git-minimal)
+         ,@(package-native-inputs patch))))))
+
 (define-public diffutils
   (package
    (name "diffutils")
-- 
2.30.2





^ permalink raw reply related	[flat|nested] 6+ messages in thread

* bug#47144: [PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].
  2021-03-15 18:26     ` bug#47144: [PATCH 1/1] " Léo Le Bouter via Bug reports for GNU Guix
@ 2021-03-18 21:58       ` Ludovic Courtès
  2022-03-23  3:03         ` bug#47144: security patching of 'patch' package Maxim Cournoyer
  0 siblings, 1 reply; 6+ messages in thread
From: Ludovic Courtès @ 2021-03-18 21:58 UTC (permalink / raw)
  To: 47144

Hi,

Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> skribis:

> * gnu/packages/base.scm (patch/fixed): New variable.
> (patch)[replacement]: Graft.

It’s (almost) useless to provide a graft of ‘patch’ because patch is
usually a build-time only dependency.  (Maybe we can tell it’s not
vulnerable to the issues at hand because in that context it’s always
given controlled input: the package patches.)

What could be useful is to provide a second version of patch so that
people running ‘guix install patch’ or similar get the newer version.

HTH,
Ludo’.




^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#47144: security patching of 'patch' package
  2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver
  2021-03-15 18:26   ` bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes] Léo Le Bouter via Bug reports for GNU Guix
@ 2021-04-14 21:54   ` Leo Famulari
  1 sibling, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2021-04-14 21:54 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: 47144

On Sun, Mar 14, 2021 at 05:37:25PM -0400, Mark H Weaver wrote:
> patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
> CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
> 2018-6952

I tried building a "fixed" package of patch, cherry-picking bug fix
patches from patch.git.

Unfortunately, the patches largely don't apply to the most recent
release of patch.

Since there is no release fixing these bugs, and no clear advice about
which patches to apply, I'm going to stop working on this for now.




^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#47144: security patching of 'patch' package
  2021-03-18 21:58       ` Ludovic Courtès
@ 2022-03-23  3:03         ` Maxim Cournoyer
  0 siblings, 0 replies; 6+ messages in thread
From: Maxim Cournoyer @ 2022-03-23  3:03 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 47144

Hi,

Ludovic Courtès <ludo@gnu.org> writes:

> Hi,
>
> Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> skribis:
>
>> * gnu/packages/base.scm (patch/fixed): New variable.
>> (patch)[replacement]: Graft.
>
> It’s (almost) useless to provide a graft of ‘patch’ because patch is
> usually a build-time only dependency.  (Maybe we can tell it’s not
> vulnerable to the issues at hand because in that context it’s always
> given controlled input: the package patches.)
>
> What could be useful is to provide a second version of patch so that
> people running ‘guix install patch’ or similar get the newer version.

The latest release of patch is the one we have, v2.7.6, made 4 years
ago.

Thanks,

Maxim




^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2022-03-23  3:04 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <6d01d537754ce50b10035903d8e7d205699c4b39.camel@zaclys.net>
2021-03-14 21:37 ` bug#47144: security patching of 'patch' package Mark H Weaver
2021-03-15 18:26   ` bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes] Léo Le Bouter via Bug reports for GNU Guix
2021-03-15 18:26     ` bug#47144: [PATCH 1/1] " Léo Le Bouter via Bug reports for GNU Guix
2021-03-18 21:58       ` Ludovic Courtès
2022-03-23  3:03         ` bug#47144: security patching of 'patch' package Maxim Cournoyer
2021-04-14 21:54   ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).