From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Subject: [PATCH 2/2] gnu: bash: Add graft for patch #7 [fixes CVE-2017-5932]. Date: Fri, 10 Feb 2017 10:40:58 +0100 Message-ID: <20170210094058.6449-3-ludo@gnu.org> References: <20170210094058.6449-1-ludo@gnu.org> Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:59806) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cc7hd-0003Vs-Bp for guix-devel@gnu.org; Fri, 10 Feb 2017 04:41:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cc7hc-000361-8M for guix-devel@gnu.org; Fri, 10 Feb 2017 04:41:17 -0500 In-Reply-To: <20170210094058.6449-1-ludo@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org * gnu/packages/bash.scm (bash)[replacement]: New field. (bash-minimal): Likewise. (url-fetch/reset-patch-level): New procedure. (bash/fixed): New variable. --- gnu/packages/bash.scm | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm index dcf771aef..c121fd84d 100644 --- a/gnu/packages/bash.scm +++ b/gnu/packages/bash.scm @@ -28,6 +28,9 @@ #:use-module (guix packages) #:use-module (guix download) #:use-module (guix utils) + #:use-module (guix gexp) + #:use-module (guix monads) + #:use-module (guix store) #:use-module (guix build-system gnu) #:autoload (guix gnupg) (gnupg-verify*) #:autoload (guix hash) (port-sha256) @@ -95,6 +98,7 @@ number/base32-hash tuples, directly usable in the 'patch-series' form." (version "4.4")) (package (name "bash") + (replacement bash/fixed) (source (origin (method url-fetch) (uri (string-append @@ -181,6 +185,7 @@ without modification.") ;; A stripped-down Bash for non-interactive use. (package (inherit bash) (name "bash-minimal") + (replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion (inputs '()) ; no readline, no curses ;; No "include" output because there's no support for loadable modules. @@ -236,6 +241,43 @@ without modification.") (delete-file-recursively (string-append out "/share")) #t)))))))))) +(define* (url-fetch/reset-patch-level url hash-algo hash + #:optional name + #:key (system (%current-system)) guile) + "Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it +can apply to a patch-level 0 Bash." + (mlet* %store-monad ((name -> (or name (basename url))) + (patch (url-fetch url hash-algo hash + (string-append name ".orig") + #:system system + #:guile guile))) + (gexp->derivation name + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (copy-file #$patch #$output) + (substitute* #$output + (("PATCHLEVEL [0-6]+") + "PATCHLEVEL 0")))) + #:guile-for-build guile + #:system system))) + +(define bash/fixed ;CVE-2017-5932 (RCE with completion) + (package + (inherit bash) + (version "4.4.A") ;4.4.0 + patch #7 + (replacement #f) + (source + (origin + (inherit (package-source bash)) + (patches (cons (origin + (method url-fetch/reset-patch-level) + (uri (patch-url 7)) + (sha256 + (base32 + "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y"))) + (origin-patches (package-source bash)))))))) + (define-public bash-completion (package (name "bash-completion") -- 2.11.0