From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48209) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ey34V-0003Cq-I1 for guix-patches@gnu.org; Mon, 19 Mar 2018 18:16:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ey34U-0001ff-4B for guix-patches@gnu.org; Mon, 19 Mar 2018 18:16:03 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:34406) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ey34T-0001fb-Uw for guix-patches@gnu.org; Mon, 19 Mar 2018 18:16:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ey34T-0005Ik-Ov for guix-patches@gnu.org; Mon, 19 Mar 2018 18:16:01 -0400 Subject: [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738. Resent-Message-ID: Date: Mon, 19 Mar 2018 18:15:51 -0400 From: Leo Famulari Message-ID: <20180319221551.GA25867@jasmine.lan> References: <871sggv32t.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="cmJC7u66zC7hs+87" Content-Disposition: inline In-Reply-To: <871sggv32t.fsf@gnu.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 30827@debbugs.gnu.org --cmJC7u66zC7hs+87 Content-Type: multipart/mixed; boundary="HlL+5n6rz5pIUxbD" Content-Disposition: inline --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 19, 2018 at 10:15:22AM +0100, Ludovic Court=C3=A8s wrote: > I=E2=80=99m late to the party, but I=E2=80=99m wondering in this case if,= instead of > grafting, we should simply add an util-linux@2.31a package, and make > sure GuixSD uses that one in %base-packages. >=20 > That way, both GuixSD and manually installed util-linux would get the > Bash completion fix. It=E2=80=99s probably OK that packages that depend = on > util-linux don=E2=80=99t get the fixed version because users don=E2=80=99= t get bash > completion from there. >=20 > WDYT? What do you think of the attached patch? --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: attachment; filename="0001-gnu-util-linux-Fix-CVE-2018-7738-without-grafting.patch" Content-Transfer-Encoding: quoted-printable =46rom c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Mon, 19 Mar 2018 17:13:26 -0400 Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting. * gnu/packages/linux.scm (util-linux)[replacement]: Remove field. (util-linux-2.31.1): New variable. * gnu/system.scm (%base-packages): Use util-linux-2.31.1. --- gnu/packages/linux.scm | 40 ++++++++++++++++++++++++++++++++-------- gnu/system.scm | 2 +- 2 files changed, 33 insertions(+), 9 deletions(-) diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index b586c29d0..710b39bbd 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -19,7 +19,7 @@ ;;; Copyright =A9 2016 Rene Saavedra ;;; Copyright =A9 2016 Carlos S=E1nchez de La Lama ;;; Copyright =A9 2016, 2017 ng0 -;;; Copyright =A9 2017 Leo Famulari +;;; Copyright =A9 2017, 2018 Leo Famulari ;;; Copyright =A9 2017 Jos=E9 Miguel S=E1nchez Garc=EDa ;;; Copyright =A9 2017 G=E1bor Boskovits ;;; Copyright =A9 2017 Mathieu Othacehe @@ -547,7 +547,6 @@ providing the system administrator with some help in co= mmon tasks.") (define-public util-linux (package (name "util-linux") - (replacement util-linux/fixed) (version "2.31") (source (origin (method url-fetch) @@ -635,14 +634,39 @@ block devices, UUIDs, TTYs, and many other tools.") (license (list license:gpl3+ license:gpl2+ license:gpl2 license:lgpl2.= 0+ license:bsd-4 license:public-domain)))) =20 -(define util-linux/fixed +;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in +;; the Bash completions for `mount`. Since this bug doesn't affect +;; other programs that link against libraries from util-linux, we don't +;; need to use a graft to make the fix available. Instead, users +;; installing util-linux will get the fix in this newer version, and +;; (@ (gnu system) %base-packages) takes care to use this package. +;; This solution was suggested here: +;; +(define-public util-linux-2.31.1 (package (inherit util-linux) - (source - (origin - (inherit (package-source util-linux)) - (patches (append (origin-patches (package-source util-linux)) - (search-patches "util-linux-CVE-2018-7738.patch")= )))))) + (name "util-linux") + ;; XXX Don't update this without also updating %base-packages! + (version "2.31.1") + (source (origin + (method url-fetch) + (uri (string-append "mirror://kernel.org/linux/utils/" + name "/v" (version-major+minor version) = "/" + name "-" version ".tar.xz")) + (sha256 + (base32 + "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s")) + (patches (search-patches "util-linux-tests.patch" + "util-linux-CVE-2018-7738.patch")) + (modules '((guix build utils))) + (snippet + ;; We take the 'logger' program from GNU Inetutils and 'kil= l' + ;; from GNU Coreutils. + '(begin + (substitute* "configure" + (("build_logger=3Dyes") "build_logger=3Dno") + (("build_kill=3Dyes") "build_kill=3Dno")) + #t)))))) =20 (define-public ddate (package diff --git a/gnu/system.scm b/gnu/system.scm index eb4b63c42..0e647356c 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -515,7 +515,7 @@ explicitly appear in OS." ;; required for basic administrator tasks. (cons* procps psmisc which less zile nano pciutils usbutils - util-linux inetutils isc-dhcp + util-linux-2.31.1 inetutils isc-dhcp (@ (gnu packages admin) shadow) ;for 'passwd' =20 ;; wireless-tools is deprecated in favor of iw, but it's still wh= at --=20 2.16.2 --HlL+5n6rz5pIUxbD-- --cmJC7u66zC7hs+87 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqwNpMACgkQJkb6MLrK fwiO8Q/8DzVWsOUBFKU/p5NQuOTX1SuzjNgtLVGqPFZqQ4CO9b6sEdLcZGYNwMNl 0kBV94tCTQ8iQMOZ+eCREiwdjk9PA1dNQOh67WBmBffr2fiqfEx0Px+aZ6zShwHG WIRPFfQxSMRG4S5J6PXqkIB0ipm1wPYbOZS7gfZvyHoYen0iGgBB1swBpmU+xkQ1 ZUtBPzaYqTWbf6kuOen0ZXHQTI27BEApa+6cvi6LpmfhFJfnNVogtyTR6ugs4W6J es1p72o7WhOHCHvT9m/sHbBFzIqIhGxWhvBkXs2TqCbIz7pjXDkt0Nz4++YaWIOB Jejif/EEYvEXftFm+IdiCKsZCcLYuuOLyZl2WSz1qnmCmylQ+I9YcCW1qDnOPQmm jGoHUdOPiKV7PokjnedAE3CrDy8o5nnb9cL4Fm2RMYYE3Ew/o6gYu3SkF9YBkhDX GrC++j+W1TGg27GsuIMx3g1ofKPbXBkhCeFJVCNBiS10rnLN5YAEvlyf7za0JGrt 1IbnazauYLL4N4U0THpqzBDaIP1GLlE6ZbSGcDxUtmH6Cn5rO3sJsuLFDtBi82WC P8IL5OPcgZrcdHbbf6rLtgfdMeYJwuaydagrH2UStzyhBWbtMxYIl5N3VLUmZ0Rz QufzKz/B/zQDwaL3n3RsVfRKdwdbr5oeoGpy6VUbUJsABROGBaI= =SEVg -----END PGP SIGNATURE----- --cmJC7u66zC7hs+87--