From c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 19 Mar 2018 17:13:26 -0400 Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting. * gnu/packages/linux.scm (util-linux)[replacement]: Remove field. (util-linux-2.31.1): New variable. * gnu/system.scm (%base-packages): Use util-linux-2.31.1. --- gnu/packages/linux.scm | 40 ++++++++++++++++++++++++++++++++-------- gnu/system.scm | 2 +- 2 files changed, 33 insertions(+), 9 deletions(-) diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index b586c29d0..710b39bbd 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -19,7 +19,7 @@ ;;; Copyright © 2016 Rene Saavedra ;;; Copyright © 2016 Carlos Sánchez de La Lama ;;; Copyright © 2016, 2017 ng0 -;;; Copyright © 2017 Leo Famulari +;;; Copyright © 2017, 2018 Leo Famulari ;;; Copyright © 2017 José Miguel Sánchez García ;;; Copyright © 2017 Gábor Boskovits ;;; Copyright © 2017 Mathieu Othacehe @@ -547,7 +547,6 @@ providing the system administrator with some help in common tasks.") (define-public util-linux (package (name "util-linux") - (replacement util-linux/fixed) (version "2.31") (source (origin (method url-fetch) @@ -635,14 +634,39 @@ block devices, UUIDs, TTYs, and many other tools.") (license (list license:gpl3+ license:gpl2+ license:gpl2 license:lgpl2.0+ license:bsd-4 license:public-domain)))) -(define util-linux/fixed +;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in +;; the Bash completions for `mount`. Since this bug doesn't affect +;; other programs that link against libraries from util-linux, we don't +;; need to use a graft to make the fix available. Instead, users +;; installing util-linux will get the fix in this newer version, and +;; (@ (gnu system) %base-packages) takes care to use this package. +;; This solution was suggested here: +;; +(define-public util-linux-2.31.1 (package (inherit util-linux) - (source - (origin - (inherit (package-source util-linux)) - (patches (append (origin-patches (package-source util-linux)) - (search-patches "util-linux-CVE-2018-7738.patch"))))))) + (name "util-linux") + ;; XXX Don't update this without also updating %base-packages! + (version "2.31.1") + (source (origin + (method url-fetch) + (uri (string-append "mirror://kernel.org/linux/utils/" + name "/v" (version-major+minor version) "/" + name "-" version ".tar.xz")) + (sha256 + (base32 + "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s")) + (patches (search-patches "util-linux-tests.patch" + "util-linux-CVE-2018-7738.patch")) + (modules '((guix build utils))) + (snippet + ;; We take the 'logger' program from GNU Inetutils and 'kill' + ;; from GNU Coreutils. + '(begin + (substitute* "configure" + (("build_logger=yes") "build_logger=no") + (("build_kill=yes") "build_kill=no")) + #t)))))) (define-public ddate (package diff --git a/gnu/system.scm b/gnu/system.scm index eb4b63c42..0e647356c 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -515,7 +515,7 @@ explicitly appear in OS." ;; required for basic administrator tasks. (cons* procps psmisc which less zile nano pciutils usbutils - util-linux inetutils isc-dhcp + util-linux-2.31.1 inetutils isc-dhcp (@ (gnu packages admin) shadow) ;for 'passwd' ;; wireless-tools is deprecated in favor of iw, but it's still what -- 2.16.2