From mboxrd@z Thu Jan 1 00:00:00 1970 From: Efraim Flashner Subject: bug#27943: tar complains about too-long names (guix release) Date: Thu, 30 Nov 2017 23:49:01 +0200 Message-ID: <20171130214901.GA19582@macbook41> References: <20170804092212.77f65fef@scratchpost.org> <87shcyzdhg.fsf@gnu.org> <20171130130510.GT991@macbook41> <877eu750rb.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="24zk1gE8NUlDmwG9" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43434) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eKWid-0002Q7-27 for bug-guix@gnu.org; Thu, 30 Nov 2017 16:50:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eKWiY-0005LF-UW for bug-guix@gnu.org; Thu, 30 Nov 2017 16:50:06 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:58252) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eKWiY-0005L7-O6 for bug-guix@gnu.org; Thu, 30 Nov 2017 16:50:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eKWiY-0006Ou-6F for bug-guix@gnu.org; Thu, 30 Nov 2017 16:50:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <877eu750rb.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 27943@debbugs.gnu.org --24zk1gE8NUlDmwG9 Content-Type: multipart/mixed; boundary="h31gzZEtNLTqOjlF" Content-Disposition: inline --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 30, 2017 at 02:55:52PM +0100, Ludovic Court=C3=A8s wrote: > Hi Efraim, >=20 > Efraim Flashner skribis: >=20 > > It gets worse than that, our t1lib-CVE-2010-2462 is also CVE-2011-0433 > > and CVE-2011-5244.=C2=B9 > > > > I tried creating a blank patch (touch t1lib-CVE...) and adding that to > > satisfy the linter (and bookeeping) but unsuprisingly patch didn't like > > trying to apply a blank file as a patch. >=20 > Yeah that=E2=80=99s no good. >=20 > > Debian removed it after squeeze=C2=B2, which was Debian 6, so about 6 y= ears > > ago. Gentoo apparently still has it=C2=B3. We don't have anything that > > depends on it so I'm in favor of removing it; even the upstream homepage > > is gone. >=20 > I don=E2=80=99t have an opinion. Could you poll guix-devel? >=20 > > This doesn't deal with the possibility that patches that address > > multiple CVEs that can't be split easily and have a very long name will > > continue to occur, so the best option I can think of right now is to > > change the linter to logic like this: > > > > CVE- -> The following are all CVEs > > YYYY-ZZZZ???? -> Full CVE reference > > ZZZZ???? -> Follows the year of the previous CVE > > > > which would change t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554 -> > > t1lib-CVE-2011-1552+1553+1554, > > and our under-referenced t1lib-CVE-2010-2642 -> > > t1lib-CVE-2010-2642+2011-0433+5244 >=20 > I thought about it, but since it=E2=80=99s an unsual case, what about add= ing a > special property to packages instead? You=E2=80=99d write: >=20 > (package > ;; =E2=80=A6 > (properties '((fixed-vulnerabilities "CVE-123-4567" "CVE-123-4568")))) >=20 > =E2=80=98guix lint=E2=80=99 would honor this property, and that would add= ress both cases > like this and situations where a CVE is known to no longer apply, as is > the case with unversioned CVEs=C2=B9. >=20 > Thoughts? >=20 > Ludo=E2=80=99. >=20 > =C2=B9 http://www.openwall.com/lists/oss-security/2017/03/15/3 I like that idea. It also allows us to mitigate a CVE without needing to specifically add a patch. I've attached my first attempt at implementing it. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-lint-check-vulnerabilities-also-checks-package-prope.patch" Content-Transfer-Encoding: quoted-printable =46rom ad48d84c8659985d706cfe2f8e07314d6017611a Mon Sep 17 00:00:00 2001 =46rom: Efraim Flashner Date: Thu, 30 Nov 2017 23:41:29 +0200 Subject: [PATCH 1/2] lint: 'check-vulnerabilities' also checks package properties. * guix/scripts/lint.scm (check-vulnerabilities): Also check for CVEs listed as mitigated in the package properties. --- guix/scripts/lint.scm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm index 1b43b0a63..8112595c8 100644 --- a/guix/scripts/lint.scm +++ b/guix/scripts/lint.scm @@ -7,6 +7,7 @@ ;;; Copyright =C2=A9 2016 Hartmut Goebel ;;; Copyright =C2=A9 2017 Alex Kost ;;; Copyright =C2=A9 2017 Tobias Geerinckx-Rice +;;; Copyright =C2=A9 2017 Efraim Flashner ;;; ;;; This file is part of GNU Guix. ;;; @@ -881,10 +882,11 @@ the NIST server non-fatal." (or (and=3D> (package-source package) origin-patches) '()))) + (known-safe (assq-ref (package-properties package) 'fixed-vu= lnerabilities)) (unpatched (remove (lambda (vuln) (find (cute string-contains <> (vulnerability-id vuln)) - patches)) + (append patches known-safe))) vulnerabilities))) (unless (null? unpatched) (emit-warning package --=20 2.15.0 --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0002-gnu-t1lib-Change-how-patched-CVEs-are-listed.patch" Content-Transfer-Encoding: quoted-printable =46rom 3ae1af75fe7304a05ca8ac0edd8582d581108d05 Mon Sep 17 00:00:00 2001 =46rom: Efraim Flashner Date: Thu, 30 Nov 2017 23:46:55 +0200 Subject: [PATCH 2/2] gnu: t1lib: Change how patched CVEs are listed. * gnu/packages/fontutils.scm (t1lib)[source]: Change patch name. [properties]: New field, register patched CVEs. * gnu/packages/patches/CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch: Rename to CVE-2011-1552+.patch. * gnu/local.mk (dist_patch_DATA): Change patch name. --- gnu/local.mk | 2 +- gnu/packages/fontutils.scm | 8 ++++= ++-- ...E-2011-1553+CVE-2011-1554.patch =3D> t1lib-CVE-2011-1552+.patch} | 0 3 files changed, 7 insertions(+), 3 deletions(-) rename gnu/packages/patches/{t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-15= 54.patch =3D> t1lib-CVE-2011-1552+.patch} (100%) diff --git a/gnu/local.mk b/gnu/local.mk index 05a86ac17..398839682 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1079,7 +1079,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/synfigstudio-fix-ui-with-gtk3.patch \ %D%/packages/patches/t1lib-CVE-2010-2642.patch \ %D%/packages/patches/t1lib-CVE-2011-0764.patch \ - %D%/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.pat= ch \ + %D%/packages/patches/t1lib-CVE-2011-1552+.patch \ %D%/packages/patches/tar-CVE-2016-6321.patch \ %D%/packages/patches/tar-skip-unreliable-tests.patch \ %D%/packages/patches/tcl-mkindex-deterministic.patch \ diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm index d2306a942..2edbe31d1 100644 --- a/gnu/packages/fontutils.scm +++ b/gnu/packages/fontutils.scm @@ -302,9 +302,9 @@ high quality, anti-aliased and subpixel rendered text o= n a display.") (sha256 (base32 "0nbvjpnmcznib1nlgg8xckrmsw3haa154byds2h90y2g0nsjh4w2= ")) (patches (search-patches - "t1lib-CVE-2010-2642.patch" + "t1lib-CVE-2010-2642.patch" ; 2011-0443, 2011-5244 "t1lib-CVE-2011-0764.patch" - "t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.pa= tch")))) + "t1lib-CVE-2011-1552+.patch")))) ; 2011-1553, 2011-= 1554 (build-system gnu-build-system) (arguments ;; Making the documentation requires latex, but t1lib is also an input @@ -323,6 +323,10 @@ describe character bitmaps. It contains the bitmap da= ta as well as some metric information. But t1lib is in itself entirely independent of the X11-system or any other graphical user interface.") (license license:gpl2) + (properties `((fixed-vulnerabilities . ("CVE-2011-0433" + "CVE-2011-1553" + "CVE-2011-1554" + "CVE-2011-5244")))) (home-page "http://www.t1lib.org/"))) =20 (define-public teckit diff --git a/gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-201= 1-1554.patch b/gnu/packages/patches/t1lib-CVE-2011-1552+.patch similarity index 100% rename from gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011= -1554.patch rename to gnu/packages/patches/t1lib-CVE-2011-1552+.patch --=20 2.15.0 --h31gzZEtNLTqOjlF-- --24zk1gE8NUlDmwG9 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAlogfMoACgkQQarn3Mo9 g1EixQ//T4irVbn4pz4m4o1Mqj2CV261AwsQRtntK0HcnkWaJ4weK+ZsQsDQu8aU Mi/QR2r2aMpOuDaBs97j1BL9Pv7HcSDJSpZgxRPdue9GL/1q8NuyQAizayhNXR9r rJb+ayiROe6aAtF2t2SeQdX2sWufn6liCDu+4854+dbmGgru5l0ipbgNyFXTQ53d TIHXZF074HSaZMMa/14AWcqxqHxsh37ch5ObSCi+P0IVlIF/bKrdBP3e8fmJdLNW Z7EEbgEKzuV09tNmx7LSNIBdqMNdpdmLdgtUFl/ATdjdy+QYfEu4I43rguUse1DY 2gcTfkCI+ToTjn+j9DLQDuYeTkrjWMIH845ZfOIm6CGjgqkqG+06DiBn222C6Y04 /+vCJ2USHhn89y6eIFg4I8CpSR0Qp7+0r6Jv2Vjq4A//aeDKNZ44ww3/66HNKGuv cKajdCW2QQESiZMeAU9wTFfku7UR0dwIimm49HQui1rlRGKUoNwcAUs0o7uU8wcG ygRe7CIjv+XEqn9wMtrbJJ6gTWEB7NEDhspirIbczm5K7Uyc/FExSN+WZbTr4ZCk YpnS5ntuOIiGTeOTOZTPAmf9iL/1edJe1emfgTkzoKV7UrOMXg6yXigYe1CtG7Ux VrrmIzMPS2/xVq/YSKeaSrpp1uctNMoy9hbmP185DRD8npURrAw= =izJw -----END PGP SIGNATURE----- --24zk1gE8NUlDmwG9--