[PATCH 2/2] gnu: bash: Add graft for patch #7 [fixes CVE-2017-5932].

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: "Ludovic Courtès" <ludo@gnu.org>
To: guix-devel@gnu.org
Subject: [PATCH 2/2] gnu: bash: Add graft for patch #7 [fixes CVE-2017-5932].
Date: Fri, 10 Feb 2017 10:40:58 +0100	[thread overview]
Message-ID: <20170210094058.6449-3-ludo@gnu.org> (raw)
In-Reply-To: <20170210094058.6449-1-ludo@gnu.org>

* gnu/packages/bash.scm (bash)[replacement]: New field.
(bash-minimal): Likewise.
(url-fetch/reset-patch-level): New procedure.
(bash/fixed): New variable.
---
 gnu/packages/bash.scm | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm
index dcf771aef..c121fd84d 100644
--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@@ -28,6 +28,9 @@
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix utils)
+  #:use-module (guix gexp)
+  #:use-module (guix monads)
+  #:use-module (guix store)
   #:use-module (guix build-system gnu)
   #:autoload   (guix gnupg) (gnupg-verify*)
   #:autoload   (guix hash) (port-sha256)
@@ -95,6 +98,7 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
          (version "4.4"))
     (package
      (name "bash")
+     (replacement bash/fixed)
      (source (origin
               (method url-fetch)
               (uri (string-append
@@ -181,6 +185,7 @@ without modification.")
   ;; A stripped-down Bash for non-interactive use.
   (package (inherit bash)
     (name "bash-minimal")
+    (replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion
     (inputs '())                                ; no readline, no curses
 
     ;; No "include" output because there's no support for loadable modules.
@@ -236,6 +241,43 @@ without modification.")
                    (delete-file-recursively (string-append out "/share"))
                    #t))))))))))
 
+(define* (url-fetch/reset-patch-level url hash-algo hash
+                                      #:optional name
+                                      #:key (system (%current-system)) guile)
+  "Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it
+can apply to a patch-level 0 Bash."
+  (mlet* %store-monad ((name -> (or name (basename url)))
+                       (patch (url-fetch url hash-algo hash
+                                         (string-append name ".orig")
+                                         #:system system
+                                         #:guile guile)))
+    (gexp->derivation name
+                      (with-imported-modules '((guix build utils))
+                        #~(begin
+                            (use-modules (guix build utils))
+                            (copy-file #$patch #$output)
+                            (substitute* #$output
+                              (("PATCHLEVEL [0-6]+")
+                               "PATCHLEVEL 0"))))
+                      #:guile-for-build guile
+                      #:system system)))
+
+(define bash/fixed                        ;CVE-2017-5932 (RCE with completion)
+  (package
+    (inherit bash)
+    (version "4.4.A")                             ;4.4.0 + patch #7
+    (replacement #f)
+    (source
+     (origin
+       (inherit (package-source bash))
+       (patches (cons (origin
+                        (method url-fetch/reset-patch-level)
+                        (uri (patch-url 7))
+                        (sha256
+                         (base32
+                          "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")))
+                      (origin-patches (package-source bash))))))))
+
 (define-public bash-completion
   (package
     (name "bash-completion")
-- 
2.11.0

next prev parent reply	other threads:[~2017-02-10  9:41 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-02-10  9:40 [PATCH 0/2] Add graft for Bash CVE-2017-5932 Ludovic Courtès
2017-02-10  9:40 ` [PATCH 1/2] gnu: bash: Update patch URL to 4.4 Ludovic Courtès
2017-02-10  9:40 ` Ludovic Courtès [this message]
2017-02-10 12:23 ` [PATCH 0/2] Add graft for Bash CVE-2017-5932 Leo Famulari
2017-02-10 15:48 ` Ludovic Courtès

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:dcf771ae dfblob:c121fd84 )
 OR (
bs:"[PATCH 2/2] gnu: bash: Add graft for patch #7 [fixes CVE-2017-5932]." )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170210094058.6449-3-ludo@gnu.org \
    --to=ludo@gnu.org \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.