unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Handling ‘file’ CVE
@ 2014-11-13 10:41 Ludovic Courtès
  2014-11-13 13:00 ` Andreas Enge
  2014-11-13 16:54 ` Ludovic Courtès
  0 siblings, 2 replies; 9+ messages in thread
From: Ludovic Courtès @ 2014-11-13 10:41 UTC (permalink / raw)
  To: Guix-devel, Mark H. Weaver

Commit 3940c5c makes a replacement for ‘file’, so that the new version
of file (5.20), which fixes a security vulnerability, is now grafted
onto packages that are installed.

I wonder if using a replacement makes sense here, because few packages
actually retain a dependency on ‘file’, and since grafting is
conservative, we graft anything that might retain a dependency on
‘file’, which means everything.

What about this other option: make another public package, ‘file-5.20’,
next to ‘file’, such that when a user explicitly installs ‘file’, they
get the new one?

That won’t address people referring to ‘file’ (the variable) in their OS
configuration, though.

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Handling ‘file’ CVE
  2014-11-13 10:41 Handling ‘file’ CVE Ludovic Courtès
@ 2014-11-13 13:00 ` Andreas Enge
  2014-11-13 13:17   ` Ludovic Courtès
  2014-11-13 16:54 ` Ludovic Courtès
  1 sibling, 1 reply; 9+ messages in thread
From: Andreas Enge @ 2014-11-13 13:00 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: Guix-devel

On Thu, Nov 13, 2014 at 11:41:17AM +0100, Ludovic Courtès wrote:
> Commit 3940c5c makes a replacement for ‘file’, so that the new version
> of file (5.20), which fixes a security vulnerability, is now grafted
> onto packages that are installed.

From what it looks like on hydra, this triggered a complete rebuild of
everything...

Andreas

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Handling ‘file’ CVE
  2014-11-13 13:00 ` Andreas Enge
@ 2014-11-13 13:17   ` Ludovic Courtès
  0 siblings, 0 replies; 9+ messages in thread
From: Ludovic Courtès @ 2014-11-13 13:17 UTC (permalink / raw)
  To: Andreas Enge; +Cc: Guix-devel

Andreas Enge <andreas@enge.fr> skribis:

> On Thu, Nov 13, 2014 at 11:41:17AM +0100, Ludovic Courtès wrote:
>> Commit 3940c5c makes a replacement for ‘file’, so that the new version
>> of file (5.20), which fixes a security vulnerability, is now grafted
>> onto packages that are installed.
>
> From what it looks like on hydra, this triggered a complete rebuild of
> everything...

It’s a grafting of everything, not a rebuild, so this is expected to be
much faster as noted in the manual.

Still, I agree it’s annoying to see this overhead on Hydra.

Ludo’.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Handling ‘file’ CVE
  2014-11-13 10:41 Handling ‘file’ CVE Ludovic Courtès
  2014-11-13 13:00 ` Andreas Enge
@ 2014-11-13 16:54 ` Ludovic Courtès
  2014-11-13 18:03   ` Mark H Weaver
  1 sibling, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2014-11-13 16:54 UTC (permalink / raw)
  To: Guix-devel

ludo@gnu.org (Ludovic Courtès) skribis:

> What about this other option: make another public package, ‘file-5.20’,
> next to ‘file’, such that when a user explicitly installs ‘file’, they
> get the new one?

I ended up taking that route, in commit 310081e.

The replacement caused too much churn on Hydra.  Furthermore, it led to
a serious increase in the installation image size, because several
variants of a number of packages were present, and because
‘guix-register -p’ doesn’t deduplicate things.

Ludo’.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Handling ‘file’ CVE
  2014-11-13 16:54 ` Ludovic Courtès
@ 2014-11-13 18:03   ` Mark H Weaver
  2014-11-13 18:47     ` Eric Bavier
  2014-11-13 20:43     ` Ludovic Courtès
  0 siblings, 2 replies; 9+ messages in thread
From: Mark H Weaver @ 2014-11-13 18:03 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: Guix-devel

ludo@gnu.org (Ludovic Courtès) writes:

> ludo@gnu.org (Ludovic Courtès) skribis:
>
>> What about this other option: make another public package, ‘file-5.20’,
>> next to ‘file’, such that when a user explicitly installs ‘file’, they
>> get the new one?
>
> I ended up taking that route, in commit 310081e.

FWIW, I think it would be better for 'file' to be bound to the fixed
package, and to add a 'file/fixed' that points to the old buggy one.
Then 'file/fixed' could be used in some selected places.

'file' is used as a plain input (as opposed to native-input) in several
places that make me a bit nervous, e.g. the 'transmission' bittorrent
client (is 'file' being used at runtime on downloaded files?), and also
'aegis', 'quilt', and 'cmake'.

Finally, 'file' is a propagated-input for 'intltool', which means that
if anyone installs 'intltool' in their profile, they will have the buggy
'file' in their PATH.

    Regards,
      Mark

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Handling ‘file’ CVE
  2014-11-13 18:03   ` Mark H Weaver
@ 2014-11-13 18:47     ` Eric Bavier
  2014-11-13 20:13       ` Ludovic Courtès
  2014-11-13 20:43     ` Ludovic Courtès
  1 sibling, 1 reply; 9+ messages in thread
From: Eric Bavier @ 2014-11-13 18:47 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: Guix-devel

[-- Attachment #1: Type: text/plain, Size: 246 bytes --]


Mark H Weaver writes:

> Finally, 'file' is a propagated-input for 'intltool', which means that
> if anyone installs 'intltool' in their profile, they will have the buggy
> 'file' in their PATH.

The attached patch might be enough to fix this.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-intltool-Make-file-a-regular-input.patch --]
[-- Type: text/x-diff, Size: 1583 bytes --]

From fff25ec0451a65ccd5972d16ef96221c85084566 Mon Sep 17 00:00:00 2001
From: Eric Bavier <bavier@member.fsf.org>
Date: Thu, 13 Nov 2014 12:46:04 -0600
Subject: [PATCH] gnu: intltool: Make file a regular input.

* gnu/packages/glib.scm (intltool)[propagated-inputs]: Move file from here...
  [inputs]: to here.
  [arguments]: New 'patch-file-references phase.
---
 gnu/packages/glib.scm |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 9076643..212d3b6 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -250,16 +250,21 @@ bindings to call into the C library.")
               (base32
                "01j4yd7i84n9nk4ccs6yifg84pp68nr9by57jdbhj7dpdxf5rwk7"))))
     (build-system gnu-build-system)
+    (inputs
+     `(("file" ,file)))
     (propagated-inputs
      `(;; Propagate gettext because users expect it to be there, and so does
        ;; the `intltool-update' script.
        ("gettext" ,gnu-gettext)
 
-       ;; `file' is used by `intltool-update' too.
-       ("file" ,file)
-
        ("perl-xml-parser" ,perl-xml-parser)
        ("perl" ,perl)))
+    (arguments
+     `(#:phases (alist-cons-after
+                 'unpack 'patch-file-references
+                 (lambda _
+                   (substitute* "intltool-update.in"
+                     (("`file") (string-append "`" (which "file"))))))))
     (home-page "https://launchpad.net/intltool/+download")
     (synopsis "Tools to centralise translations of different file formats")
     (description
-- 
1.7.9.5


[-- Attachment #3: Type: text/plain, Size: 133 bytes --]


-- 
Eric Bavier

Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

^ permalink raw reply related	[flat|nested] 9+ messages in thread

* Re: Handling ‘file’ CVE
  2014-11-13 18:47     ` Eric Bavier
@ 2014-11-13 20:13       ` Ludovic Courtès
  2014-11-13 20:42         ` Eric Bavier
  0 siblings, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2014-11-13 20:13 UTC (permalink / raw)
  To: Eric Bavier; +Cc: Guix-devel

Eric Bavier <ericbavier@gmail.com> skribis:

> Mark H Weaver writes:
>
>> Finally, 'file' is a propagated-input for 'intltool', which means that
>> if anyone installs 'intltool' in their profile, they will have the buggy
>> 'file' in their PATH.
>
> The attached patch might be enough to fix this.

But ‘guix refresh -l’ says 142 packages depend on it...

> From fff25ec0451a65ccd5972d16ef96221c85084566 Mon Sep 17 00:00:00 2001
> From: Eric Bavier <bavier@member.fsf.org>
> Date: Thu, 13 Nov 2014 12:46:04 -0600
> Subject: [PATCH] gnu: intltool: Make file a regular input.
>
> * gnu/packages/glib.scm (intltool)[propagated-inputs]: Move file from here...
>   [inputs]: to here.
>   [arguments]: New 'patch-file-references phase.

[...]

> +    (arguments
> +     `(#:phases (alist-cons-after
> +                 'unpack 'patch-file-references
> +                 (lambda _
> +                   (substitute* "intltool-update.in"
> +                     (("`file") (string-append "`" (which "file"))))))))

Should use (string-append (assoc-ref inputs "file") "/bin/file") to work
correctly in a cross-compilation context.

Also, the last argument to ‘alist-cons-after’ is missing.

Could you push the updated patch to ‘core-updates’?  We’ll see how where
it takes us.

The main limitation here is that it takes almost a week for the MIPS
machine to rebuild everything (~2 days for Intel), and I’d like
everything to be built on the D-day.

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Handling ‘file’ CVE
  2014-11-13 20:13       ` Ludovic Courtès
@ 2014-11-13 20:42         ` Eric Bavier
  0 siblings, 0 replies; 9+ messages in thread
From: Eric Bavier @ 2014-11-13 20:42 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: Guix-devel


Ludovic Courtès writes:

> Eric Bavier <ericbavier@gmail.com> skribis:
>
>> Mark H Weaver writes:
>>
>>> Finally, 'file' is a propagated-input for 'intltool', which means that
>>> if anyone installs 'intltool' in their profile, they will have the buggy
>>> 'file' in their PATH.
>>
>> The attached patch might be enough to fix this.
>>
>> +    (arguments
>> +     `(#:phases (alist-cons-after
>> +                 'unpack 'patch-file-references
>> +                 (lambda _
>> +                   (substitute* "intltool-update.in"
>> +                     (("`file") (string-append "`" (which "file"))))))))
>
> Should use (string-append (assoc-ref inputs "file") "/bin/file") to work
> correctly in a cross-compilation context.

I thought that might need to be done, but couldn't think why.  Thanks
for providing the reason ;)

> Also, the last argument to ‘alist-cons-after’ is missing.

I noticed that soon after I emailed the patch. 

> Could you push the updated patch to ‘core-updates’?  We’ll see how where
> it takes us.

Will do.

> The main limitation here is that it takes almost a week for the MIPS
> machine to rebuild everything (~2 days for Intel), and I’d like
> everything to be built on the D-day.

That would be nice, yes.

-- 
Eric Bavier

Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Handling ‘file’ CVE
  2014-11-13 18:03   ` Mark H Weaver
  2014-11-13 18:47     ` Eric Bavier
@ 2014-11-13 20:43     ` Ludovic Courtès
  1 sibling, 0 replies; 9+ messages in thread
From: Ludovic Courtès @ 2014-11-13 20:43 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: Guix-devel

[-- Attachment #1: Type: text/plain, Size: 533 bytes --]

Mark H Weaver <mhw@netris.org> skribis:

> FWIW, I think it would be better for 'file' to be bound to the fixed
> package, and to add a 'file/fixed' that points to the old buggy one.
> Then 'file/fixed' could be used in some selected places.
>
> 'file' is used as a plain input (as opposed to native-input) in several
> places that make me a bit nervous, e.g. the 'transmission' bittorrent
> client (is 'file' being used at runtime on downloaded files?), and also
> 'aegis', 'quilt', and 'cmake'.

This script helps determine this:


[-- Attachment #2: the script --]
[-- Type: text/plain, Size: 1167 bytes --]

(use-modules (guix) (gnu)
             (gnu packages file)
             (ice-9 match)
             (srfi srfi-1)
             (srfi srfi-26))

(define (file-input? inputs)
  (find (match-lambda
         ((label (? package? p) . _)
          (eq? p file))
         (_ #f))
        inputs))

(define (packages-using-file)
  (fold-packages (lambda (package result)
                   (if (or (file-input? (package-inputs package))
                           (file-input? (package-propagated-inputs package)))
                       (cons package result)
                       result))
                 '()))

(define (has-runtime-dependency-on-file? package)
  (with-store store
    (let* ((file (package-full-name file))
           (drv  (package-derivation store package))
           (outs (map cdr (derivation->output-paths drv)))
           (info (substitutable-path-info store outs)))
      (find (lambda (info)
              (find (cut string-suffix? file <>)
                    (substitutable-references info)))
            info))))

(define (packages-with-runtime-dependency-on-file)
  (filter has-runtime-dependency-on-file?
          (packages-using-file)))

[-- Attachment #3: Type: text/plain, Size: 784 bytes --]


The result is:

--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> (packages-with-runtime-dependency-on-file)
$8 = (#<package quilt-0.61 gnu/packages/patchutils.scm:85 41f5240> #<package aegis-4.24 gnu/packages/version-control.scm:491 383c240>)
--8<---------------cut here---------------end--------------->8---

These two packages are leaves, so it’s fine to change them to use the
fixed ‘file’.  Done in 351d690.

> Finally, 'file' is a propagated-input for 'intltool', which means that
> if anyone installs 'intltool' in their profile, they will have the buggy
> 'file' in their PATH.

This one is more problematic.  We can try to apply Eric’s patch, but
that’s a lot of rebuild.

Thanks for the analysis,
Ludo’.

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2014-11-13 20:43 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-13 10:41 Handling ‘file’ CVE Ludovic Courtès
2014-11-13 13:00 ` Andreas Enge
2014-11-13 13:17   ` Ludovic Courtès
2014-11-13 16:54 ` Ludovic Courtès
2014-11-13 18:03   ` Mark H Weaver
2014-11-13 18:47     ` Eric Bavier
2014-11-13 20:13       ` Ludovic Courtès
2014-11-13 20:42         ` Eric Bavier
2014-11-13 20:43     ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).