From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: [PATCH 1/1] gnu: perl: Replace with patched version [fixes
	CVE-2016-2381].
Date: Thu, 3 Mar 2016 00:52:27 -0500
Message-ID: <20160303055227.GA26189@jasmine>
References: <cover.1456947844.git.leo@famulari.name>
	<cover.1456947844.git.leo@famulari.name>
	<92cf16de48838de4d9d060886f0bc9915e8f52e1.1456947844.git.leo@famulari.name>
	<87io14czt1.fsf@gnu.org> <20160303040613.GA24614@jasmine>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55942)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1abMBd-0004Bh-2G
	for guix-devel@gnu.org; Thu, 03 Mar 2016 00:52:34 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1abMBZ-00084N-QB
	for guix-devel@gnu.org; Thu, 03 Mar 2016 00:52:33 -0500
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:40685)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1abMBZ-00084H-Jm
	for guix-devel@gnu.org; Thu, 03 Mar 2016 00:52:29 -0500
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42])
	by mailout.nyi.internal (Postfix) with ESMTP id 2647F20380
	for <guix-devel@gnu.org>; Thu,  3 Mar 2016 00:52:29 -0500 (EST)
Content-Disposition: inline
In-Reply-To: <20160303040613.GA24614@jasmine>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org

On Wed, Mar 02, 2016 at 11:06:13PM -0500, Leo Famulari wrote:
> On Wed, Mar 02, 2016 at 10:52:58PM +0100, Ludovic Courtès wrote:
> > Leo Famulari <leo@famulari.name> skribis:
> > 
> > > * gnu/packages/patches/perl-CVE-2016-2381.patch: New file.
> > > * gnu-system.am (dist_patch_DATA): Add it.
> > > * gnu/packages/perl.scm (perl)[replacement]: New field.
> > > (perl-5.22.1-2): New variable.
> > 
> > Should be ‘perl-fixed’.
> 
> Done. I also altered the context of the patch to reflect that its
> source is actually upstream Perl, although Debian did cherry-pick it.
> 
> > 
> > > * gnu/packages/commencement.scm (perl-boot0)[replacement]: New field.
> > 
> > Otherwise LGTM, as long as you confirm that nothing goes really wrong
> > once it’s applied.  :-)
> 
> Here are some things I tried:
> 
> 1) Built and booted a VM with `guix system vm`. I don't know if perl (as
> opposed to perl-boot0) is used in this process, but it did work.
> 
> 2) Built and installed git on top of it, and then rolled back the commit
> and used `git add -i` to recreate it, and then `git send-email` to
> submit it. Both of those tools are Perl scripts.

By "on top of it" I mean on top of this patch, not on the VM.

> 
> https://git.kernel.org/cgit/git/git.git/tree/git-add--interactive.perl
> https://git.kernel.org/cgit/git/git.git/tree/git-send-email.perl