From mboxrd@z Thu Jan 1 00:00:00 1970 From: Efraim Flashner Subject: binutils CVEs Date: Sun, 17 Sep 2017 21:19:28 +0300 Message-ID: <20170917181927.GB16737@macbook42.flashner.co.il> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="wxDdMuZNg1r63Hyj" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:46990) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dteAR-00058A-Jz for guix-devel@gnu.org; Sun, 17 Sep 2017 14:19:48 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dteAN-0000vW-7J for guix-devel@gnu.org; Sun, 17 Sep 2017 14:19:43 -0400 Received: from flashner.co.il ([178.62.234.194]:38264) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dteAM-0000ul-RK for guix-devel@gnu.org; Sun, 17 Sep 2017 14:19:39 -0400 Received: from localhost (46-117-130-79.bb.netvision.net.il [46.117.130.79]) by flashner.co.il (Postfix) with ESMTPSA id CBEF2403A3 for ; Sun, 17 Sep 2017 18:19:36 +0000 (UTC) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --wxDdMuZNg1r63Hyj Content-Type: multipart/mixed; boundary="4SFOXa2GPu3tIq4H" Content-Disposition: inline --4SFOXa2GPu3tIq4H Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable There's a large number of CVEs against binutils@2.28. Gentoo=C2=B9 has a ni= ce long list of the CVEs, and I've put together a patch to graft a replacement, but I'm getting grafting errors: ERROR: replacement length differs from the original length "h9nqlf0c82c1sds= 4yzs60k7pm4f37si2-binutils-2.28" "wl5dg3dnqvk2v2ahh5iadnv1s34rsbb6-binutils= -2.28.1" I've attached the patch in case anyone has any ideas on how to fix this. =C2=B9 https://security.gentoo.org/glsa/201709-02 --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --4SFOXa2GPu3tIq4H Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-gnu-binutils-Fix-security-issues.patch" Content-Transfer-Encoding: quoted-printable =46rom 949c3adbf3d2c576356eaf47c0c67ad711b2e4e7 Mon Sep 17 00:00:00 2001 =46rom: Efraim Flashner Date: Sun, 17 Sep 2017 21:13:22 +0300 Subject: [PATCH] gnu: binutils: Fix security issues. * gnu/packages/base.scm (binutils)[replacement]: New field. (binutils/fixed): New variable. * gnu/packages/commencement.scm (binutils-boot0, binutils-final): Use 'package/inherit' to correctly use replacement binutils. --- gnu/packages/base.scm | 14 ++++++++++++++ gnu/packages/commencement.scm | 5 +++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 1ccff1fcf5..56a870552c 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -394,6 +394,7 @@ change. GNU make offers many powerful extensions over = the standard utility.") =20 (define-public binutils (package + (replacement binutils/fixed) (name "binutils") (version "2.28") (source (origin @@ -435,6 +436,19 @@ included.") (license gpl3+) (home-page "https://www.gnu.org/software/binutils/"))) =20 +(define binutils/fixed + (package + (inherit binutils) + (version "2.28.1") + (source=20 + (origin (inherit (package-source binutils)) + (uri (string-append "mirror://gnu/binutils/binutils-" + version ".tar.bz2")) + (sha256 + (base32 + "1sj234nd05cdgga1r36zalvvdkvpfbr12g5mir2n8i1dwsdrj939"))))= )) + + (define* (make-ld-wrapper name #:key (target (const #f)) binutils diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm index 7bbe1becd9..ec7677814f 100644 --- a/gnu/packages/commencement.scm +++ b/gnu/packages/commencement.scm @@ -3,6 +3,7 @@ ;;; Copyright =C2=A9 2014 Andreas Enge ;;; Copyright =C2=A9 2012 Nikita Karetnikov ;;; Copyright =C2=A9 2014, 2015, 2017 Mark H Weaver +;;; Copyright =C2=A9 2017 Efraim Flashner ;;; ;;; This file is part of GNU Guix. ;;; @@ -139,7 +140,7 @@ =20 (define binutils-boot0 (package-with-bootstrap-guile - (package (inherit binutils) + (package/inherit binutils (name "binutils-cross-boot0") (arguments `(#:guile ,%bootstrap-guile @@ -667,7 +668,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~= a \"$@\"~%" =20 (define binutils-final (package-with-bootstrap-guile - (package (inherit binutils) + (package/inherit binutils (arguments `(#:guile ,%bootstrap-guile #:implicit-inputs? #f --=20 2.14.1 --4SFOXa2GPu3tIq4H-- --wxDdMuZNg1r63Hyj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAlm+vKcACgkQQarn3Mo9 g1G2vhAAuuHpv93zxqKK7yniJ1UujCcg79QaCA8/1nKkhmswQxzjsfrcJ/PXmZOF 3jWXU92C73rkkGJvI4qqm+t8a9pfirrG2mu9BcqfKNmlQe42bQ7XYonSksGdPIQk K4dIQ9w2fhKL7PJw5xTyH8Hmxxg/AcBum0vIXlDTpOyY9TvRbhdgodJchdBzx2kQ DZSsSYRr/XMcCfigageKLpNKf6bZIxQ4vcTJf8L9GkdtG1Bo1YrzunWM0PPMb0qU 9cSqZrAYYbBxzlaHWORpq2E5rYY0hFbLb0qQmxaFI34JmXWZf6aOyI0eZGNboVRF kt43PuUDamfYyf2JGLcNey+7wibC/pRcLVl001Zt/Vb1KuY7PFyhXoylFkwkiWO/ ybkYz27mnhVG1MFFgBp899Av8csXmbW/qeauXXqCRJBf8IMvMcpwtO8crOR8tZ+m noQip6DC6KViLoBWtm8Sd9aDSTwQ2ikIWLKVdPzczZv2i5UMtet3kqaetzr+aNwd rXdKcrjgERsDqRrzwdmAadzUHMmzx/PT9ECe6sQSvdnBfuGuUKMVJZOADk2tkWsE Vbc/1PkdhN000kHv7UsxTPPZEYEvq4TmOtn6uGkmUFINHPSovAOiRhx8DpdMe/kd feyxk2KH+i65/u3f2ceAoLYmLmX4O8cxYK3CkROoIZ+HTmkedQ8= =MMjq -----END PGP SIGNATURE----- --wxDdMuZNg1r63Hyj--