[bug#74004] [PATCH] gnu: busybox: Update to 1.37.0. [security fixes]

[bug#74004] [PATCH] gnu: busybox: Update to 1.37.0. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-42363, CVE-2023-42364, CVE-2023-42365 and
CVE-2023-42366.

* gnu/packages/busybox.scm (busybox): Update to 1.37.0.
---
 gnu/packages/busybox.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/busybox.scm b/gnu/packages/busybox.scm
index f811a7175f..46398da213 100644
--- a/gnu/packages/busybox.scm
+++ b/gnu/packages/busybox.scm
@@ -36,7 +36,7 @@ (define-module (gnu packages busybox)
 (define-public busybox
   (package
     (name "busybox")
-    (version "1.36.1")
+    (version "1.37.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -44,7 +44,7 @@ (define-public busybox
                     version ".tar.bz2"))
               (sha256
                (base32
-                "0573gpj51phcz04sg77iznvcxmf5jnbk9gn3g5r9x02daz4j9k5q"))))
+                "1923f21rnlbv1qjvk2qhgqnki5mkgr6z0p8dvzs9jr3l5vrxy49k"))))
     (build-system gnu-build-system)
     (arguments
      (list #:phases
-- 
2.46.0

bug#74004: [PATCH] gnu: busybox: Update to 1.37.0. [security fixes]

[Zheng Junjie]

[-- Attachment #1: Type: text/plain, Size: 1134 bytes --]

Nicolas Graves via Guix-patches via <guix-patches@gnu.org> writes:

> This fixes CVE-2023-42363, CVE-2023-42364, CVE-2023-42365 and
> CVE-2023-42366.
>
> * gnu/packages/busybox.scm (busybox): Update to 1.37.0.
> ---
>  gnu/packages/busybox.scm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/busybox.scm b/gnu/packages/busybox.scm
> index f811a7175f..46398da213 100644
> --- a/gnu/packages/busybox.scm
> +++ b/gnu/packages/busybox.scm
> @@ -36,7 +36,7 @@ (define-module (gnu packages busybox)
>  (define-public busybox
>    (package
>      (name "busybox")
> -    (version "1.36.1")
> +    (version "1.37.0")
>      (source (origin
>                (method url-fetch)
>                (uri (string-append
> @@ -44,7 +44,7 @@ (define-public busybox
>                      version ".tar.bz2"))
>                (sha256
>                 (base32
> -                "0573gpj51phcz04sg77iznvcxmf5jnbk9gn3g5r9x02daz4j9k5q"))))
> +                "1923f21rnlbv1qjvk2qhgqnki5mkgr6z0p8dvzs9jr3l5vrxy49k"))))
>      (build-system gnu-build-system)
>      (arguments
>       (list #:phases
push, close.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#74004] [PATCH] gnu: busybox: Update to 1.37.0. [security fixes]

[Ludovic Courtès]

The updated package fails to build on powerpc64le-linux:

  https://ci.guix.gnu.org/build/6263835/details

Excerpt:

--8<---------------cut here---------------start------------->8---
libbb/hash_md5_sha.c: In function ‘sha1_end’:
libbb/hash_md5_sha.c:1316:35: error: ‘sha1_process_block64_shaNI’ undeclared (first use in this function); did you mean ‘sha1_process_block64’?
 1316 |          || ctx->process_block == sha1_process_block64_shaNI
      |                                   ^~~~~~~~~~~~~~~~~~~~~~~~~~
      |                                   sha1_process_block64
libbb/hash_md5_sha.c:1316:35: note: each undeclared identifier is reported only once for each function it appears in
make[1]: *** [scripts/Makefile.build:198: libbb/hash_md5_sha.o] Error 1
make: *** [Makefile:744: libbb] Error 2
--8<---------------cut here---------------end--------------->8---

Ludo’.

[bug#74004] [PATCH] gnu: busybox: Update to 1.37.0. [security fixes]

[Zheng Junjie]

[-- Attachment #1.1: Type: text/plain, Size: 1012 bytes --]

Ludovic Courtès <ludo@gnu.org> writes:

> The updated package fails to build on powerpc64le-linux:
>
>   https://ci.guix.gnu.org/build/6263835/details
>
> Excerpt:
>
> --8<---------------cut here---------------start------------->8---
> libbb/hash_md5_sha.c: In function ‘sha1_end’:
> libbb/hash_md5_sha.c:1316:35: error: ‘sha1_process_block64_shaNI’ undeclared (first use in this function); did you mean ‘sha1_process_block64’?
>  1316 |          || ctx->process_block == sha1_process_block64_shaNI
>       |                                   ^~~~~~~~~~~~~~~~~~~~~~~~~~
>       |                                   sha1_process_block64
> libbb/hash_md5_sha.c:1316:35: note: each undeclared identifier is reported only once for each function it appears in
> make[1]: *** [scripts/Makefile.build:198: libbb/hash_md5_sha.o] Error 1
> make: *** [Makefile:744: libbb] Error 2
> --8<---------------cut here---------------end--------------->8---
>
> Ludo’.

please try this patch.


[-- Attachment #1.2: 0001-gnu-busybox-Fix-build-on-non-x86-platform.patch --]
[-- Type: text/x-patch, Size: 5017 bytes --]

From f50eacabce6a9955e3b673c202d6a0a6fa2c2623 Mon Sep 17 00:00:00 2001
Message-ID: <f50eacabce6a9955e3b673c202d6a0a6fa2c2623.1730000285.git.zhengjunjie@iscas.ac.cn>
From: Zheng Junjie <zhengjunjie@iscas.ac.cn>
Date: Sun, 27 Oct 2024 11:20:16 +0800
Subject: [PATCH] gnu: busybox: Fix build on non x86 platform.

* gnu/packages/patches/busybox-add-missing-sha-NI-guard.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/busybox.scm (busybox): Use it.

Change-Id: I1e6a24dd5b86871a3479ab6ecd247b31c746ec75
---
 gnu/local.mk                                  |  1 +
 gnu/packages/busybox.scm                      |  5 +-
 .../busybox-add-missing-sha-NI-guard.patch    | 48 +++++++++++++++++++
 3 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/busybox-add-missing-sha-NI-guard.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 6bd7c750900..af9a08f0613 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1032,6 +1032,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/breezy-fix-gio.patch			\
   %D%/packages/patches/byobu-writable-status.patch		\
   %D%/packages/patches/bubblewrap-fix-locale-in-tests.patch	\
+  %D%/packages/patches/busybox-add-missing-sha-NI-guard.patch	\
   %D%/packages/patches/cadical-add-shared-library.patch		\
   %D%/packages/patches/calibre-no-updates-dialog.patch		\
   %D%/packages/patches/calibre-remove-test-sqlite.patch		\
diff --git a/gnu/packages/busybox.scm b/gnu/packages/busybox.scm
index 46398da2136..053994a52af 100644
--- a/gnu/packages/busybox.scm
+++ b/gnu/packages/busybox.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2016-2020, 2023 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2018–2022 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2022 LuHui <luhux76@gmail.com>
+;;; Copyright © 2024 Zheng Junjie <873216071@qq.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -44,7 +45,9 @@ (define-public busybox
                     version ".tar.bz2"))
               (sha256
                (base32
-                "1923f21rnlbv1qjvk2qhgqnki5mkgr6z0p8dvzs9jr3l5vrxy49k"))))
+                "1923f21rnlbv1qjvk2qhgqnki5mkgr6z0p8dvzs9jr3l5vrxy49k"))
+              (patches
+               (search-patches "busybox-add-missing-sha-NI-guard.patch"))))
     (build-system gnu-build-system)
     (arguments
      (list #:phases
diff --git a/gnu/packages/patches/busybox-add-missing-sha-NI-guard.patch b/gnu/packages/patches/busybox-add-missing-sha-NI-guard.patch
new file mode 100644
index 00000000000..9fe78cb0bed
--- /dev/null
+++ b/gnu/packages/patches/busybox-add-missing-sha-NI-guard.patch
@@ -0,0 +1,48 @@
+from https://lists.busybox.net/pipermail/busybox/2024-September/090899.html
+
+The ENABLE_SHA1_HWACCEL Kconfig symbol is meant to be archicture
+agnostic, so can be enabled regardless of whether your build
+architecture provides hardware acceleration or not.
+ At the moment only
+x86 implements this, so every piece of optimised code should be guarded
+by both ENABLE_SHA1_HWACCEL and (__x86_64__ || __i386__).
+ This is missing
+at one place, so compiling for arm64 breaks when ENABLE_SHA1_HWACCEL is
+enabled:
+================================
+libbb/hash_md5_sha.c: In function ‘sha1_end’:
+libbb/hash_md5_sha.c:1316:28: error: ‘sha1_process_block64_shaNI’ undeclared (first use in this function); did you mean ‘sha1_process_block64’?
+
+ 1316 |   || ctx->process_block == sha1_process_block64_shaNI
+      |                            ^~~~~~~~~~~~~~~~~~~~~~~~~~
+      |                            sha1_process_block64
+libbb/hash_md5_sha.c:1316:28: note: each undeclared identifier is reported only once for each function it appears in
+make[1]: *** [scripts/Makefile.build:197: libbb/hash_md5_sha.o] Error 1
+make: *** [Makefile:744: libbb] Error 2
+================================
+
+Add the missing guards around the call to sha1_process_block64_shaNI to
+fix the build on other architectures with ENABLE_SHA1_HWACCEL enabled.
+
+Change-Id: I40bba388422625f4230abf15a5de23e1fdc654fc
+Signed-off-by: Andre Przywara <andre.przywara at arm.com>
+---
+ libbb/hash_md5_sha.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libbb/hash_md5_sha.c b/libbb/hash_md5_sha.c
+index 57a801459..75a61c32c 100644
+--- a/libbb/hash_md5_sha.c
++++ b/libbb/hash_md5_sha.c
+@@ -1313,7 +1313,9 @@ unsigned FAST_FUNC sha1_end(sha1_ctx_t *ctx, void *resbuf)
+ 	hash_size = 8;
+ 	if (ctx->process_block == sha1_process_block64
+ #if ENABLE_SHA1_HWACCEL
++# if defined(__GNUC__) && (defined(__i386__) || defined(__x86_64__))
+ 	 || ctx->process_block == sha1_process_block64_shaNI
++# endif
+ #endif
+ 	) {
+ 		hash_size = 5;
+-- 
+2.25.1
\ No newline at end of file

base-commit: 269e4034fcaf55324187efffb6ed5ba14d5e9286
prerequisite-patch-id: f64c7b345e9d8e398b2f8c146ea8f161679ad369
prerequisite-patch-id: b752a2999f51803f96394183d08b19003d1e6bc0
-- 
2.46.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]