[bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.

[Leo Famulari <leo@famulari.name>]

[-- Attachment #1.1: Type: text/plain, Size: 571 bytes --]

On Mon, Mar 19, 2018 at 10:15:22AM +0100, Ludovic Courtès wrote:
> I’m late to the party, but I’m wondering in this case if, instead of
> grafting, we should simply add an util-linux@2.31a package, and make
> sure GuixSD uses that one in %base-packages.
> 
> That way, both GuixSD and manually installed util-linux would get the
> Bash completion fix.  It’s probably OK that packages that depend on
> util-linux don’t get the fixed version because users don’t get bash
> completion from there.
> 
> WDYT?

What do you think of the attached patch?

[-- Attachment #1.2: 0001-gnu-util-linux-Fix-CVE-2018-7738-without-grafting.patch --]
[-- Type: text/plain, Size: 4240 bytes --]

From c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Mon, 19 Mar 2018 17:13:26 -0400
Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting.

* gnu/packages/linux.scm (util-linux)[replacement]: Remove field.
(util-linux-2.31.1): New variable.
* gnu/system.scm (%base-packages): Use util-linux-2.31.1.
---
 gnu/packages/linux.scm | 40 ++++++++++++++++++++++++++++++++--------
 gnu/system.scm         |  2 +-
 2 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index b586c29d0..710b39bbd 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -19,7 +19,7 @@
 ;;; Copyright © 2016 Rene Saavedra <rennes@openmailbox.org>
 ;;; Copyright © 2016 Carlos Sánchez de La Lama <csanchezdll@gmail.com>
 ;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
-;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017, 2018 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 José Miguel Sánchez García <jmi2k@openmailbox.com>
 ;;; Copyright © 2017 Gábor Boskovits <boskovits@gmail.com>
 ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
@@ -547,7 +547,6 @@ providing the system administrator with some help in common tasks.")
 (define-public util-linux
   (package
     (name "util-linux")
-    (replacement util-linux/fixed)
     (version "2.31")
     (source (origin
               (method url-fetch)
@@ -635,14 +634,39 @@ block devices, UUIDs, TTYs, and many other tools.")
     (license (list license:gpl3+ license:gpl2+ license:gpl2 license:lgpl2.0+
                    license:bsd-4 license:public-domain))))
 
-(define util-linux/fixed
+;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in
+;; the Bash completions for `mount`. Since this bug doesn't affect
+;; other programs that link against libraries from util-linux, we don't
+;; need to use a graft to make the fix available. Instead, users
+;; installing util-linux will get the fix in this newer version, and
+;; (@ (gnu system) %base-packages) takes care to use this package.
+;; This solution was suggested here:
+;; <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30827#13>
+(define-public util-linux-2.31.1
   (package
     (inherit util-linux)
-    (source
-      (origin
-        (inherit (package-source util-linux))
-        (patches (append (origin-patches (package-source util-linux))
-                         (search-patches "util-linux-CVE-2018-7738.patch")))))))
+    (name "util-linux")
+    ;; XXX Don't update this without also updating %base-packages!
+    (version "2.31.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://kernel.org/linux/utils/"
+                                  name "/v" (version-major+minor version) "/"
+                                  name "-" version ".tar.xz"))
+              (sha256
+               (base32
+                "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s"))
+              (patches (search-patches "util-linux-tests.patch"
+                                       "util-linux-CVE-2018-7738.patch"))
+              (modules '((guix build utils)))
+              (snippet
+               ;; We take the 'logger' program from GNU Inetutils and 'kill'
+               ;; from GNU Coreutils.
+               '(begin
+                  (substitute* "configure"
+                    (("build_logger=yes") "build_logger=no")
+                    (("build_kill=yes") "build_kill=no"))
+                  #t))))))
 
 (define-public ddate
   (package
diff --git a/gnu/system.scm b/gnu/system.scm
index eb4b63c42..0e647356c 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -515,7 +515,7 @@ explicitly appear in OS."
   ;; required for basic administrator tasks.
   (cons* procps psmisc which less zile nano
          pciutils usbutils
-         util-linux inetutils isc-dhcp
+         util-linux-2.31.1 inetutils isc-dhcp
          (@ (gnu packages admin) shadow)          ;for 'passwd'
 
          ;; wireless-tools is deprecated in favor of iw, but it's still what
-- 
2.16.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]