From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41253) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eyCwA-00059R-5C for guix-patches@gnu.org; Tue, 20 Mar 2018 04:48:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eyCw7-0004Sw-0o for guix-patches@gnu.org; Tue, 20 Mar 2018 04:48:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:34796) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eyCw6-0004Sd-SA for guix-patches@gnu.org; Tue, 20 Mar 2018 04:48:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eyCw6-0001Pn-Fi for guix-patches@gnu.org; Tue, 20 Mar 2018 04:48:02 -0400 Subject: [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738. Resent-Message-ID: From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <871sggv32t.fsf@gnu.org> <20180319221551.GA25867@jasmine.lan> <87sh8vfslf.fsf@fastmail.com> Date: Tue, 20 Mar 2018 09:47:02 +0100 In-Reply-To: <87sh8vfslf.fsf@fastmail.com> (Marius Bakke's message of "Tue, 20 Mar 2018 02:23:08 +0100") Message-ID: <878tanxhfd.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Marius Bakke Cc: 30827@debbugs.gnu.org Hi, Marius Bakke skribis: > Leo Famulari writes: [...] >> From c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001 >> From: Leo Famulari >> Date: Mon, 19 Mar 2018 17:13:26 -0400 >> Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting. >> >> * gnu/packages/linux.scm (util-linux)[replacement]: Remove field. >> (util-linux-2.31.1): New variable. >> * gnu/system.scm (%base-packages): Use util-linux-2.31.1. > > [...] >=20=20=20 >> -(define util-linux/fixed >> +;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in >> +;; the Bash completions for `mount`. Since this bug doesn't affect >> +;; other programs that link against libraries from util-linux, we don't >> +;; need to use a graft to make the fix available. Instead, users >> +;; installing util-linux will get the fix in this newer version, and >> +;; (@ (gnu system) %base-packages) takes care to use this package. >> +;; This solution was suggested here: >> +;; >> +(define-public util-linux-2.31.1 >> (package >> (inherit util-linux) >> - (source >> - (origin >> - (inherit (package-source util-linux)) >> - (patches (append (origin-patches (package-source util-linux)) >> - (search-patches "util-linux-CVE-2018-7738.patc= h"))))))) >> + (name "util-linux") >> + ;; XXX Don't update this without also updating %base-packages! >> + (version "2.31.1") >> + (source (origin >> + (method url-fetch) >> + (uri (string-append "mirror://kernel.org/linux/utils/" >> + name "/v" (version-major+minor versio= n) "/" >> + name "-" version ".tar.xz")) >> + (sha256 >> + (base32 >> + "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s")) >> + (patches (search-patches "util-linux-tests.patch" >> + "util-linux-CVE-2018-7738.patch"= )) >> + (modules '((guix build utils))) >> + (snippet >> + ;; We take the 'logger' program from GNU Inetutils and '= kill' >> + ;; from GNU Coreutils. >> + '(begin >> + (substitute* "configure" >> + (("build_logger=3Dyes") "build_logger=3Dno") >> + (("build_kill=3Dyes") "build_kill=3Dno")) >> + #t)))))) > > You can keep (inherit (package-source ...)) here to avoid duplicating > snippet, modules and method. Apart from that LGTM. Agreed. Thank you! Ludo=E2=80=99.