[-- Attachment #1: Type: text/plain, Size: 315 bytes --] I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten. Mark -------------------- Start of forwarded message -------------------- Subject: security patching of 'patch' package From: Léo Le Bouter <lle-bout@zaclys.net> To: guix-devel@gnu.org Date: Wed, 10 Mar 2021 04:14:35 +0100 [-- Attachment #2.1: Type: text/plain, Size: 614 bytes --] Hello! I could find that the 'patch' package was vulnerable to numerous CVEs that other distros like Debian have patched. Here's the list reported by 'guix lint -c cve patch': patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638, CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE- 2018-6952 Can I use latest commit from master to build 'patch' then graft original package? i.e. https://git.savannah.gnu.org/git/patch.git There's not that many commits since last release, but lots of time: https://git.savannah.gnu.org/cgit/patch.git/log/ Thank you, Léo [-- Attachment #2.2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] [-- Attachment #3: Type: text/plain, Size: 67 bytes --] -------------------- End of forwarded message --------------------
I tried something, using patch git repo's master instead of release tarballs, I am not sure the git repo contains all the fixes, we could alternatively just pull patches from Debian. This attempt does not work yet however, it fails on some gnulib source file not being found for some reason: gcc: error: parse-datetime.c: No such file or directory gcc: fatal error: no input files compilation terminated. This file seems to be generated by YACC from earlier log. Léo Le Bouter (1): gnu: patch: Update to 2.7.6-7623b2d [security fixes]. gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) -- 2.30.2
* gnu/packages/base.scm (patch/fixed): New variable. (patch)[replacement]: Graft. --- gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 9aa69cfe77..a71b47ac4f 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -46,12 +46,14 @@ #:use-module (gnu packages compression) #:use-module (gnu packages perl) #:use-module (gnu packages linux) + #:use-module (gnu packages autotools) #:use-module (gnu packages pcre) #:use-module (gnu packages texinfo) #:use-module (gnu packages hurd) #:use-module (gnu packages pkg-config) #:use-module (gnu packages python) #:use-module (gnu packages gettext) + #:use-module (gnu packages version-control) #:use-module (guix i18n) #:use-module (guix utils) #:use-module (guix packages) @@ -228,6 +230,7 @@ standard utility.") (base32 "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc")) (patches (search-patches "patch-hurd-path-max.patch")))) + (replacement patch/fixed) (build-system gnu-build-system) (arguments ;; Work around a cross-compilation bug whereby libpatch.a would provide @@ -246,6 +249,42 @@ differences.") (license gpl3+) (home-page "https://savannah.gnu.org/projects/patch/"))) +(define patch/fixed + (let ((commit "7623b2dc0d1837ecfd58f32efc78e35834deeb38")) + (package/inherit patch + (name "patch") + (version "2.7.6") + ;; (version (string-append "2.7.6-" (string-take commit 7))) + (source + (origin + (method git-fetch) + (uri (git-reference + (url "https://git.savannah.gnu.org/git/patch.git") + (commit commit) + (recursive? #t))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "0k3i95gkbi21lipadlg1zd03d928b65x322q08xgdg461vnw2i6h")) + (patches (search-patches "patch-hurd-path-max.patch")))) + (arguments + (substitute-keyword-arguments (package-arguments patch) + ((#:phases phases '%standard-phases) + `(modify-phases ,phases + (replace 'bootstrap + (lambda* (#:key inputs #:allow-other-keys) + (substitute* (list "gnulib/gnulib-tool" + "gnulib/build-aux/git-version-gen") + (("/bin/sh") (which "sh"))) + (invoke "bash" "bootstrap" "--no-git" + "--gnulib-srcdir=gnulib") + #t)))))) + (native-inputs + `(("autoconf" ,autoconf) + ("automake" ,automake) + ("git" ,git-minimal) + ,@(package-native-inputs patch)))))) + (define-public diffutils (package (name "diffutils") -- 2.30.2
Hi,
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> skribis:
> * gnu/packages/base.scm (patch/fixed): New variable.
> (patch)[replacement]: Graft.
It’s (almost) useless to provide a graft of ‘patch’ because patch is
usually a build-time only dependency. (Maybe we can tell it’s not
vulnerable to the issues at hand because in that context it’s always
given controlled input: the package patches.)
What could be useful is to provide a second version of patch so that
people running ‘guix install patch’ or similar get the newer version.
HTH,
Ludo’.
On Sun, Mar 14, 2021 at 05:37:25PM -0400, Mark H Weaver wrote:
> patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
> CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
> 2018-6952
I tried building a "fixed" package of patch, cherry-picking bug fix
patches from patch.git.
Unfortunately, the patches largely don't apply to the most recent
release of patch.
Since there is no release fixing these bugs, and no clear advice about
which patches to apply, I'm going to stop working on this for now.
Hi,
Ludovic Courtès <ludo@gnu.org> writes:
> Hi,
>
> Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> skribis:
>
>> * gnu/packages/base.scm (patch/fixed): New variable.
>> (patch)[replacement]: Graft.
>
> It’s (almost) useless to provide a graft of ‘patch’ because patch is
> usually a build-time only dependency. (Maybe we can tell it’s not
> vulnerable to the issues at hand because in that context it’s always
> given controlled input: the package patches.)
>
> What could be useful is to provide a second version of patch so that
> people running ‘guix install patch’ or similar get the newer version.
The latest release of patch is the one we have, v2.7.6, made 4 years
ago.
Thanks,
Maxim