[bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.

[Marius Bakke <mbakke@fastmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3179 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Mon, Mar 19, 2018 at 10:15:22AM +0100, Ludovic Courtès wrote:
>> I’m late to the party, but I’m wondering in this case if, instead of
>> grafting, we should simply add an util-linux@2.31a package, and make
>> sure GuixSD uses that one in %base-packages.
>> 
>> That way, both GuixSD and manually installed util-linux would get the
>> Bash completion fix.  It’s probably OK that packages that depend on
>> util-linux don’t get the fixed version because users don’t get bash
>> completion from there.
>> 
>> WDYT?
>
> What do you think of the attached patch?
> From c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Mon, 19 Mar 2018 17:13:26 -0400
> Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting.
>
> * gnu/packages/linux.scm (util-linux)[replacement]: Remove field.
> (util-linux-2.31.1): New variable.
> * gnu/system.scm (%base-packages): Use util-linux-2.31.1.

[...]
  
> -(define util-linux/fixed
> +;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in
> +;; the Bash completions for `mount`. Since this bug doesn't affect
> +;; other programs that link against libraries from util-linux, we don't
> +;; need to use a graft to make the fix available. Instead, users
> +;; installing util-linux will get the fix in this newer version, and
> +;; (@ (gnu system) %base-packages) takes care to use this package.
> +;; This solution was suggested here:
> +;; <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30827#13>
> +(define-public util-linux-2.31.1
>    (package
>      (inherit util-linux)
> -    (source
> -      (origin
> -        (inherit (package-source util-linux))
> -        (patches (append (origin-patches (package-source util-linux))
> -                         (search-patches "util-linux-CVE-2018-7738.patch")))))))
> +    (name "util-linux")
> +    ;; XXX Don't update this without also updating %base-packages!
> +    (version "2.31.1")
> +    (source (origin
> +              (method url-fetch)
> +              (uri (string-append "mirror://kernel.org/linux/utils/"
> +                                  name "/v" (version-major+minor version) "/"
> +                                  name "-" version ".tar.xz"))
> +              (sha256
> +               (base32
> +                "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s"))
> +              (patches (search-patches "util-linux-tests.patch"
> +                                       "util-linux-CVE-2018-7738.patch"))
> +              (modules '((guix build utils)))
> +              (snippet
> +               ;; We take the 'logger' program from GNU Inetutils and 'kill'
> +               ;; from GNU Coreutils.
> +               '(begin
> +                  (substitute* "configure"
> +                    (("build_logger=yes") "build_logger=no")
> +                    (("build_kill=yes") "build_kill=no"))
> +                  #t))))))

You can keep (inherit (package-source ...)) here to avoid duplicating
snippet, modules and method.  Apart from that LGTM.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]