[PATCH 0/2] Add graft for Bash CVE-2017-5932

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

* [PATCH 0/2] Add graft for Bash CVE-2017-5932
@ 2017-02-10  9:40 Ludovic Courtès
  2017-02-10  9:40 ` [PATCH 1/2] gnu: bash: Update patch URL to 4.4 Ludovic Courtès
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Ludovic Courtès @ 2017-02-10  9:40 UTC (permalink / raw)
  To: guix-devel

Hello!

This patch fixes Bash CVE-2017-5932, which is a remote code execution
vulnerability triggered by file name completion and disclosed on Wednesday:

  https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf
  http://www.openwall.com/lists/oss-security/2017/02/07/9

I'll apply it today if there are no objections.

Thanks in advance,
Ludo'.

Ludovic Courtès (2):
  gnu: bash: Update patch URL to 4.4.
  gnu: bash: Add graft for patch #7 [fixes CVE-2017-5932].

 gnu/packages/bash.scm | 46 ++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 44 insertions(+), 2 deletions(-)

-- 
2.11.0

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 1/2] gnu: bash: Update patch URL to 4.4.
  2017-02-10  9:40 [PATCH 0/2] Add graft for Bash CVE-2017-5932 Ludovic Courtès
@ 2017-02-10  9:40 ` Ludovic Courtès
  2017-02-10  9:40 ` [PATCH 2/2] gnu: bash: Add graft for patch #7 [fixes CVE-2017-5932] Ludovic Courtès
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Ludovic Courtès @ 2017-02-10  9:40 UTC (permalink / raw)
  To: guix-devel

* gnu/packages/bash.scm (patch-url): Change "43" to "44".
---
 gnu/packages/bash.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm
index d59170d53..dcf771aef 100644
--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
 ;;;
@@ -38,7 +38,7 @@
 
 (define (patch-url seqno)
   "Return the URL of Bash patch number SEQNO."
-  (format #f "mirror://gnu/bash/bash-4.3-patches/bash43-~3,'0d" seqno))
+  (format #f "mirror://gnu/bash/bash-4.4-patches/bash44-~3,'0d" seqno))
 
 (define (bash-patch seqno sha256)
   "Return the origin of Bash patch SEQNO, with expected hash SHA256"
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH 2/2] gnu: bash: Add graft for patch #7 [fixes CVE-2017-5932].
  2017-02-10  9:40 [PATCH 0/2] Add graft for Bash CVE-2017-5932 Ludovic Courtès
  2017-02-10  9:40 ` [PATCH 1/2] gnu: bash: Update patch URL to 4.4 Ludovic Courtès
@ 2017-02-10  9:40 ` Ludovic Courtès
  2017-02-10 12:23 ` [PATCH 0/2] Add graft for Bash CVE-2017-5932 Leo Famulari
  2017-02-10 15:48 ` Ludovic Courtès
  3 siblings, 0 replies; 5+ messages in thread
From: Ludovic Courtès @ 2017-02-10  9:40 UTC (permalink / raw)
  To: guix-devel

* gnu/packages/bash.scm (bash)[replacement]: New field.
(bash-minimal): Likewise.
(url-fetch/reset-patch-level): New procedure.
(bash/fixed): New variable.
---
 gnu/packages/bash.scm | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm
index dcf771aef..c121fd84d 100644
--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@@ -28,6 +28,9 @@
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix utils)
+  #:use-module (guix gexp)
+  #:use-module (guix monads)
+  #:use-module (guix store)
   #:use-module (guix build-system gnu)
   #:autoload   (guix gnupg) (gnupg-verify*)
   #:autoload   (guix hash) (port-sha256)
@@ -95,6 +98,7 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
          (version "4.4"))
     (package
      (name "bash")
+     (replacement bash/fixed)
      (source (origin
               (method url-fetch)
               (uri (string-append
@@ -181,6 +185,7 @@ without modification.")
   ;; A stripped-down Bash for non-interactive use.
   (package (inherit bash)
     (name "bash-minimal")
+    (replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion
     (inputs '())                                ; no readline, no curses
 
     ;; No "include" output because there's no support for loadable modules.
@@ -236,6 +241,43 @@ without modification.")
                    (delete-file-recursively (string-append out "/share"))
                    #t))))))))))
 
+(define* (url-fetch/reset-patch-level url hash-algo hash
+                                      #:optional name
+                                      #:key (system (%current-system)) guile)
+  "Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it
+can apply to a patch-level 0 Bash."
+  (mlet* %store-monad ((name -> (or name (basename url)))
+                       (patch (url-fetch url hash-algo hash
+                                         (string-append name ".orig")
+                                         #:system system
+                                         #:guile guile)))
+    (gexp->derivation name
+                      (with-imported-modules '((guix build utils))
+                        #~(begin
+                            (use-modules (guix build utils))
+                            (copy-file #$patch #$output)
+                            (substitute* #$output
+                              (("PATCHLEVEL [0-6]+")
+                               "PATCHLEVEL 0"))))
+                      #:guile-for-build guile
+                      #:system system)))
+
+(define bash/fixed                        ;CVE-2017-5932 (RCE with completion)
+  (package
+    (inherit bash)
+    (version "4.4.A")                             ;4.4.0 + patch #7
+    (replacement #f)
+    (source
+     (origin
+       (inherit (package-source bash))
+       (patches (cons (origin
+                        (method url-fetch/reset-patch-level)
+                        (uri (patch-url 7))
+                        (sha256
+                         (base32
+                          "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")))
+                      (origin-patches (package-source bash))))))))
+
 (define-public bash-completion
   (package
     (name "bash-completion")
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 0/2] Add graft for Bash CVE-2017-5932
  2017-02-10  9:40 [PATCH 0/2] Add graft for Bash CVE-2017-5932 Ludovic Courtès
  2017-02-10  9:40 ` [PATCH 1/2] gnu: bash: Update patch URL to 4.4 Ludovic Courtès
  2017-02-10  9:40 ` [PATCH 2/2] gnu: bash: Add graft for patch #7 [fixes CVE-2017-5932] Ludovic Courtès
@ 2017-02-10 12:23 ` Leo Famulari
  2017-02-10 15:48 ` Ludovic Courtès
  3 siblings, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2017-02-10 12:23 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

On Fri, Feb 10, 2017 at 10:40:56AM +0100, Ludovic Courtès wrote:
> Hello!
> 
> This patch fixes Bash CVE-2017-5932, which is a remote code execution
> vulnerability triggered by file name completion and disclosed on Wednesday:
> 
>   https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf
>   http://www.openwall.com/lists/oss-security/2017/02/07/9
> 
> I'll apply it today if there are no objections.

Thank you!

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 0/2] Add graft for Bash CVE-2017-5932
  2017-02-10  9:40 [PATCH 0/2] Add graft for Bash CVE-2017-5932 Ludovic Courtès
                   ` (2 preceding siblings ...)
  2017-02-10 12:23 ` [PATCH 0/2] Add graft for Bash CVE-2017-5932 Leo Famulari
@ 2017-02-10 15:48 ` Ludovic Courtès
  3 siblings, 0 replies; 5+ messages in thread
From: Ludovic Courtès @ 2017-02-10 15:48 UTC (permalink / raw)
  To: guix-devel

Ludovic Courtès <ludo@gnu.org> skribis:

> This patch fixes Bash CVE-2017-5932, which is a remote code execution
> vulnerability triggered by file name completion and disclosed on Wednesday:
>
>   https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf
>   http://www.openwall.com/lists/oss-security/2017/02/07/9
>
> I'll apply it today if there are no objections.

Pushed!

I recommend updating since this issue becomes a real problem in
conjunction with browsers that download files without first opening a
dialog box, for example.

Ludo’.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2017-02-11 18:47 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-02-10  9:40 [PATCH 0/2] Add graft for Bash CVE-2017-5932 Ludovic Courtès
2017-02-10  9:40 ` [PATCH 1/2] gnu: bash: Update patch URL to 4.4 Ludovic Courtès
2017-02-10  9:40 ` [PATCH 2/2] gnu: bash: Add graft for patch #7 [fixes CVE-2017-5932] Ludovic Courtès
2017-02-10 12:23 ` [PATCH 0/2] Add graft for Bash CVE-2017-5932 Leo Famulari
2017-02-10 15:48 ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).