From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54346) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ey60V-0005S1-8s for guix-patches@gnu.org; Mon, 19 Mar 2018 21:24:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ey60Q-00035C-AB for guix-patches@gnu.org; Mon, 19 Mar 2018 21:24:07 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:34531) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ey60Q-000351-7E for guix-patches@gnu.org; Mon, 19 Mar 2018 21:24:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ey60P-0005Lc-Ts for guix-patches@gnu.org; Mon, 19 Mar 2018 21:24:01 -0400 Subject: [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738. Resent-Message-ID: From: Marius Bakke In-Reply-To: <20180319221551.GA25867@jasmine.lan> References: <871sggv32t.fsf@gnu.org> <20180319221551.GA25867@jasmine.lan> Date: Tue, 20 Mar 2018 02:23:08 +0100 Message-ID: <87sh8vfslf.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Leo Famulari , Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 30827@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Mon, Mar 19, 2018 at 10:15:22AM +0100, Ludovic Court=C3=A8s wrote: >> I=E2=80=99m late to the party, but I=E2=80=99m wondering in this case if= , instead of >> grafting, we should simply add an util-linux@2.31a package, and make >> sure GuixSD uses that one in %base-packages. >>=20 >> That way, both GuixSD and manually installed util-linux would get the >> Bash completion fix. It=E2=80=99s probably OK that packages that depend= on >> util-linux don=E2=80=99t get the fixed version because users don=E2=80= =99t get bash >> completion from there. >>=20 >> WDYT? > > What do you think of the attached patch? > From c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001 > From: Leo Famulari > Date: Mon, 19 Mar 2018 17:13:26 -0400 > Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting. > > * gnu/packages/linux.scm (util-linux)[replacement]: Remove field. > (util-linux-2.31.1): New variable. > * gnu/system.scm (%base-packages): Use util-linux-2.31.1. [...] =20=20 > -(define util-linux/fixed > +;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in > +;; the Bash completions for `mount`. Since this bug doesn't affect > +;; other programs that link against libraries from util-linux, we don't > +;; need to use a graft to make the fix available. Instead, users > +;; installing util-linux will get the fix in this newer version, and > +;; (@ (gnu system) %base-packages) takes care to use this package. > +;; This solution was suggested here: > +;; > +(define-public util-linux-2.31.1 > (package > (inherit util-linux) > - (source > - (origin > - (inherit (package-source util-linux)) > - (patches (append (origin-patches (package-source util-linux)) > - (search-patches "util-linux-CVE-2018-7738.patch= "))))))) > + (name "util-linux") > + ;; XXX Don't update this without also updating %base-packages! > + (version "2.31.1") > + (source (origin > + (method url-fetch) > + (uri (string-append "mirror://kernel.org/linux/utils/" > + name "/v" (version-major+minor version= ) "/" > + name "-" version ".tar.xz")) > + (sha256 > + (base32 > + "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s")) > + (patches (search-patches "util-linux-tests.patch" > + "util-linux-CVE-2018-7738.patch")) > + (modules '((guix build utils))) > + (snippet > + ;; We take the 'logger' program from GNU Inetutils and 'k= ill' > + ;; from GNU Coreutils. > + '(begin > + (substitute* "configure" > + (("build_logger=3Dyes") "build_logger=3Dno") > + (("build_kill=3Dyes") "build_kill=3Dno")) > + #t)))))) You can keep (inherit (package-source ...)) here to avoid duplicating snippet, modules and method. Apart from that LGTM. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlqwYnwACgkQoqBt8qM6 VPqEwgf/XeushVN+BxMcQB5fwTMPNcz8DFVoBPGgZtV4GccudsJUFb0SI46se7iJ GtVaXNizBQh5oZA8ERq76ZMI/apr+Pvsmv5t67ihUJe0CpzENoP/1eAg2q2al21b tVTQUT3P/hloPGAclKJOxPZWHprTg4sYxBJR1mC9RrLWopRJfY0++q0XnJYp4pKs 0ad8QQgORtqoq35KhNt2YSviDEGjGyrHYdK7G5BfgbXPLzuYb6NAc4UIibeiKX+d dtZ9ES1jmrkJl3qlPlUIaJJKJTMf/dbzg3gC+o15CZeCaxWNrCbCSN1XjwsJngdf Jh72ZJWGCqtr2WJIx6dVrdXVza7uJQ== =nJXr -----END PGP SIGNATURE----- --=-=-=--