From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54346)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ey60V-0005S1-8s
	for guix-patches@gnu.org; Mon, 19 Mar 2018 21:24:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ey60Q-00035C-AB
	for guix-patches@gnu.org; Mon, 19 Mar 2018 21:24:07 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:34531)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1ey60Q-000351-7E
	for guix-patches@gnu.org; Mon, 19 Mar 2018 21:24:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ey60P-0005Lc-Ts
	for guix-patches@gnu.org; Mon, 19 Mar 2018 21:24:01 -0400
Subject: [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.
Resent-Message-ID: <handler.30827.B30827.152150899320494@debbugs.gnu.org>
From: Marius Bakke <mbakke@fastmail.com>
In-Reply-To: <20180319221551.GA25867@jasmine.lan>
References: <e285b16bb67a4f9da2fb6cad7529647fb9141fdb.1521136722.git.leo@famulari.name>
	<871sggv32t.fsf@gnu.org> <20180319221551.GA25867@jasmine.lan>
Date: Tue, 20 Mar 2018 02:23:08 +0100
Message-ID: <87sh8vfslf.fsf@fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Leo Famulari <leo@famulari.name>, Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 30827@debbugs.gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Leo Famulari <leo@famulari.name> writes:

> On Mon, Mar 19, 2018 at 10:15:22AM +0100, Ludovic Court=C3=A8s wrote:
>> I=E2=80=99m late to the party, but I=E2=80=99m wondering in this case if=
, instead of
>> grafting, we should simply add an util-linux@2.31a package, and make
>> sure GuixSD uses that one in %base-packages.
>>=20
>> That way, both GuixSD and manually installed util-linux would get the
>> Bash completion fix.  It=E2=80=99s probably OK that packages that depend=
 on
>> util-linux don=E2=80=99t get the fixed version because users don=E2=80=
=99t get bash
>> completion from there.
>>=20
>> WDYT?
>
> What do you think of the attached patch?
> From c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Mon, 19 Mar 2018 17:13:26 -0400
> Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting.
>
> * gnu/packages/linux.scm (util-linux)[replacement]: Remove field.
> (util-linux-2.31.1): New variable.
> * gnu/system.scm (%base-packages): Use util-linux-2.31.1.

[...]
=20=20
> -(define util-linux/fixed
> +;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in
> +;; the Bash completions for `mount`. Since this bug doesn't affect
> +;; other programs that link against libraries from util-linux, we don't
> +;; need to use a graft to make the fix available. Instead, users
> +;; installing util-linux will get the fix in this newer version, and
> +;; (@ (gnu system) %base-packages) takes care to use this package.
> +;; This solution was suggested here:
> +;; <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D30827#13>
> +(define-public util-linux-2.31.1
>    (package
>      (inherit util-linux)
> -    (source
> -      (origin
> -        (inherit (package-source util-linux))
> -        (patches (append (origin-patches (package-source util-linux))
> -                         (search-patches "util-linux-CVE-2018-7738.patch=
")))))))
> +    (name "util-linux")
> +    ;; XXX Don't update this without also updating %base-packages!
> +    (version "2.31.1")
> +    (source (origin
> +              (method url-fetch)
> +              (uri (string-append "mirror://kernel.org/linux/utils/"
> +                                  name "/v" (version-major+minor version=
) "/"
> +                                  name "-" version ".tar.xz"))
> +              (sha256
> +               (base32
> +                "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s"))
> +              (patches (search-patches "util-linux-tests.patch"
> +                                       "util-linux-CVE-2018-7738.patch"))
> +              (modules '((guix build utils)))
> +              (snippet
> +               ;; We take the 'logger' program from GNU Inetutils and 'k=
ill'
> +               ;; from GNU Coreutils.
> +               '(begin
> +                  (substitute* "configure"
> +                    (("build_logger=3Dyes") "build_logger=3Dno")
> +                    (("build_kill=3Dyes") "build_kill=3Dno"))
> +                  #t))))))

You can keep (inherit (package-source ...)) here to avoid duplicating
snippet, modules and method.  Apart from that LGTM.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlqwYnwACgkQoqBt8qM6
VPqEwgf/XeushVN+BxMcQB5fwTMPNcz8DFVoBPGgZtV4GccudsJUFb0SI46se7iJ
GtVaXNizBQh5oZA8ERq76ZMI/apr+Pvsmv5t67ihUJe0CpzENoP/1eAg2q2al21b
tVTQUT3P/hloPGAclKJOxPZWHprTg4sYxBJR1mC9RrLWopRJfY0++q0XnJYp4pKs
0ad8QQgORtqoq35KhNt2YSviDEGjGyrHYdK7G5BfgbXPLzuYb6NAc4UIibeiKX+d
dtZ9ES1jmrkJl3qlPlUIaJJKJTMf/dbzg3gC+o15CZeCaxWNrCbCSN1XjwsJngdf
Jh72ZJWGCqtr2WJIx6dVrdXVza7uJQ==
=nJXr
-----END PGP SIGNATURE-----
--=-=-=--