[bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.

[bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.

[Leo Famulari]

* gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/linux.scm (util-linux)[replacement]: New field.
(util-linux/fixed): New variable.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/linux.scm                             | 10 +++++
 .../patches/util-linux-CVE-2018-7738.patch         | 49 ++++++++++++++++++++++
 3 files changed, 60 insertions(+)
 create mode 100644 gnu/packages/patches/util-linux-CVE-2018-7738.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 69e4d2b7b..788b260e5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1135,6 +1135,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/unzip-overflow-long-fsize.patch		\
   %D%/packages/patches/unzip-remove-build-date.patch		\
   %D%/packages/patches/ustr-fix-build-with-gcc-5.patch		\
+  %D%/packages/patches/util-linux-CVE-2018-7738.patch		\
   %D%/packages/patches/util-linux-tests.patch			\
   %D%/packages/patches/upower-builddir.patch			\
   %D%/packages/patches/valgrind-enable-arm.patch		\
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index b81cb55d6..0c7642201 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -547,6 +547,7 @@ providing the system administrator with some help in common tasks.")
 (define-public util-linux
   (package
     (name "util-linux")
+    (replacement util-linux/fixed)
     (version "2.31")
     (source (origin
               (method url-fetch)
@@ -634,6 +635,15 @@ block devices, UUIDs, TTYs, and many other tools.")
     (license (list license:gpl3+ license:gpl2+ license:gpl2 license:lgpl2.0+
                    license:bsd-4 license:public-domain))))
 
+(define util-linux/fixed
+  (package
+    (inherit util-linux)
+    (source
+      (origin
+        (inherit (package-source util-linux))
+        (patches (append (origin-patches (package-source util-linux))
+                         (search-patches "util-linux-CVE-2018-7738.patch")))))))
+
 (define-public ddate
   (package
     (name "ddate")
diff --git a/gnu/packages/patches/util-linux-CVE-2018-7738.patch b/gnu/packages/patches/util-linux-CVE-2018-7738.patch
new file mode 100644
index 000000000..080e2f56b
--- /dev/null
+++ b/gnu/packages/patches/util-linux-CVE-2018-7738.patch
@@ -0,0 +1,49 @@
+Fix CVE-2018-7738:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738
+
+Patch copied from upstream source repository:
+
+https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55
+
+From 75f03badd7ed9f1dd951863d75e756883d3acc55 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 16 Nov 2017 16:27:32 +0100
+Subject: [PATCH] bash-completion: (umount) use findmnt, escape a space in
+ paths
+
+ # mount /dev/sdc1 /mnt/test/foo\ bar
+ # umount <tab>
+
+has to return "/mnt/test/foo\ bar".
+
+Changes:
+
+ * don't use mount | awk output, we have findmnt
+ * force compgen use \n as entries separator
+
+Addresses: https://github.com/karelzak/util-linux/issues/539
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ bash-completion/umount | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/bash-completion/umount b/bash-completion/umount
+index d76cb9fff..98c90d61a 100644
+--- a/bash-completion/umount
++++ b/bash-completion/umount
+@@ -40,9 +40,10 @@ _umount_module()
+ 			return 0
+ 			;;
+ 	esac
+-	local DEVS_MPOINTS
+-	DEVS_MPOINTS="$(mount | awk '{print $1, $3}')"
+-	COMPREPLY=( $(compgen -W "$DEVS_MPOINTS" -- $cur) )
+-	return 0
++
++	local oldifs=$IFS
++	IFS=$'\n'
++	COMPREPLY=( $( compgen -W '$(findmnt -lno TARGET | sed "s/\([[:blank:]]\)/\\\\\1/g")' -- "$cur" ) )
++	IFS=$oldifs
+ }
+ complete -F _umount_module umount
-- 
2.16.2

[bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 269 bytes --]

Leo Famulari <leo@famulari.name> writes:

> * gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/linux.scm (util-linux)[replacement]: New field.
> (util-linux/fixed): New variable.

LGTM, thanks!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

[bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.

[Ludovic Courtès]

Hello!

Leo Famulari <leo@famulari.name> skribis:

> * gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/linux.scm (util-linux)[replacement]: New field.
> (util-linux/fixed): New variable.

[...]

> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738
> +
> +Patch copied from upstream source repository:
> +
> +https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55

I’m late to the party, but I’m wondering in this case if, instead of
grafting, we should simply add an util-linux@2.31a package, and make
sure GuixSD uses that one in %base-packages.

That way, both GuixSD and manually installed util-linux would get the
Bash completion fix.  It’s probably OK that packages that depend on
util-linux don’t get the fixed version because users don’t get bash
completion from there.

WDYT?

Thanks,
Ludo’.

[bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1110 bytes --]

On Mon, Mar 19, 2018 at 10:15:22AM +0100, Ludovic Courtès wrote:
> Hello!
> 
> Leo Famulari <leo@famulari.name> skribis:
> 
> > * gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/linux.scm (util-linux)[replacement]: New field.
> > (util-linux/fixed): New variable.
> 
> [...]
> 
> > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738
> > +
> > +Patch copied from upstream source repository:
> > +
> > +https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55
> 
> I’m late to the party, but I’m wondering in this case if, instead of
> grafting, we should simply add an util-linux@2.31a package, and make
> sure GuixSD uses that one in %base-packages.
> 
> That way, both GuixSD and manually installed util-linux would get the
> Bash completion fix.  It’s probably OK that packages that depend on
> util-linux don’t get the fixed version because users don’t get bash
> completion from there.
> 
> WDYT?

That's a good idea. I'll test and push today.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.

[Leo Famulari]

[-- Attachment #1.1: Type: text/plain, Size: 571 bytes --]

On Mon, Mar 19, 2018 at 10:15:22AM +0100, Ludovic Courtès wrote:
> I’m late to the party, but I’m wondering in this case if, instead of
> grafting, we should simply add an util-linux@2.31a package, and make
> sure GuixSD uses that one in %base-packages.
> 
> That way, both GuixSD and manually installed util-linux would get the
> Bash completion fix.  It’s probably OK that packages that depend on
> util-linux don’t get the fixed version because users don’t get bash
> completion from there.
> 
> WDYT?

What do you think of the attached patch?

[-- Attachment #1.2: 0001-gnu-util-linux-Fix-CVE-2018-7738-without-grafting.patch --]
[-- Type: text/plain, Size: 4240 bytes --]

From c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Mon, 19 Mar 2018 17:13:26 -0400
Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting.

* gnu/packages/linux.scm (util-linux)[replacement]: Remove field.
(util-linux-2.31.1): New variable.
* gnu/system.scm (%base-packages): Use util-linux-2.31.1.
---
 gnu/packages/linux.scm | 40 ++++++++++++++++++++++++++++++++--------
 gnu/system.scm         |  2 +-
 2 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index b586c29d0..710b39bbd 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -19,7 +19,7 @@
 ;;; Copyright © 2016 Rene Saavedra <rennes@openmailbox.org>
 ;;; Copyright © 2016 Carlos Sánchez de La Lama <csanchezdll@gmail.com>
 ;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
-;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017, 2018 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 José Miguel Sánchez García <jmi2k@openmailbox.com>
 ;;; Copyright © 2017 Gábor Boskovits <boskovits@gmail.com>
 ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
@@ -547,7 +547,6 @@ providing the system administrator with some help in common tasks.")
 (define-public util-linux
   (package
     (name "util-linux")
-    (replacement util-linux/fixed)
     (version "2.31")
     (source (origin
               (method url-fetch)
@@ -635,14 +634,39 @@ block devices, UUIDs, TTYs, and many other tools.")
     (license (list license:gpl3+ license:gpl2+ license:gpl2 license:lgpl2.0+
                    license:bsd-4 license:public-domain))))
 
-(define util-linux/fixed
+;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in
+;; the Bash completions for `mount`. Since this bug doesn't affect
+;; other programs that link against libraries from util-linux, we don't
+;; need to use a graft to make the fix available. Instead, users
+;; installing util-linux will get the fix in this newer version, and
+;; (@ (gnu system) %base-packages) takes care to use this package.
+;; This solution was suggested here:
+;; <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30827#13>
+(define-public util-linux-2.31.1
   (package
     (inherit util-linux)
-    (source
-      (origin
-        (inherit (package-source util-linux))
-        (patches (append (origin-patches (package-source util-linux))
-                         (search-patches "util-linux-CVE-2018-7738.patch")))))))
+    (name "util-linux")
+    ;; XXX Don't update this without also updating %base-packages!
+    (version "2.31.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://kernel.org/linux/utils/"
+                                  name "/v" (version-major+minor version) "/"
+                                  name "-" version ".tar.xz"))
+              (sha256
+               (base32
+                "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s"))
+              (patches (search-patches "util-linux-tests.patch"
+                                       "util-linux-CVE-2018-7738.patch"))
+              (modules '((guix build utils)))
+              (snippet
+               ;; We take the 'logger' program from GNU Inetutils and 'kill'
+               ;; from GNU Coreutils.
+               '(begin
+                  (substitute* "configure"
+                    (("build_logger=yes") "build_logger=no")
+                    (("build_kill=yes") "build_kill=no"))
+                  #t))))))
 
 (define-public ddate
   (package
diff --git a/gnu/system.scm b/gnu/system.scm
index eb4b63c42..0e647356c 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -515,7 +515,7 @@ explicitly appear in OS."
   ;; required for basic administrator tasks.
   (cons* procps psmisc which less zile nano
          pciutils usbutils
-         util-linux inetutils isc-dhcp
+         util-linux-2.31.1 inetutils isc-dhcp
          (@ (gnu packages admin) shadow)          ;for 'passwd'
 
          ;; wireless-tools is deprecated in favor of iw, but it's still what
-- 
2.16.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 3179 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Mon, Mar 19, 2018 at 10:15:22AM +0100, Ludovic Courtès wrote:
>> I’m late to the party, but I’m wondering in this case if, instead of
>> grafting, we should simply add an util-linux@2.31a package, and make
>> sure GuixSD uses that one in %base-packages.
>> 
>> That way, both GuixSD and manually installed util-linux would get the
>> Bash completion fix.  It’s probably OK that packages that depend on
>> util-linux don’t get the fixed version because users don’t get bash
>> completion from there.
>> 
>> WDYT?
>
> What do you think of the attached patch?
> From c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Mon, 19 Mar 2018 17:13:26 -0400
> Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting.
>
> * gnu/packages/linux.scm (util-linux)[replacement]: Remove field.
> (util-linux-2.31.1): New variable.
> * gnu/system.scm (%base-packages): Use util-linux-2.31.1.

[...]
  
> -(define util-linux/fixed
> +;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in
> +;; the Bash completions for `mount`. Since this bug doesn't affect
> +;; other programs that link against libraries from util-linux, we don't
> +;; need to use a graft to make the fix available. Instead, users
> +;; installing util-linux will get the fix in this newer version, and
> +;; (@ (gnu system) %base-packages) takes care to use this package.
> +;; This solution was suggested here:
> +;; <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30827#13>
> +(define-public util-linux-2.31.1
>    (package
>      (inherit util-linux)
> -    (source
> -      (origin
> -        (inherit (package-source util-linux))
> -        (patches (append (origin-patches (package-source util-linux))
> -                         (search-patches "util-linux-CVE-2018-7738.patch")))))))
> +    (name "util-linux")
> +    ;; XXX Don't update this without also updating %base-packages!
> +    (version "2.31.1")
> +    (source (origin
> +              (method url-fetch)
> +              (uri (string-append "mirror://kernel.org/linux/utils/"
> +                                  name "/v" (version-major+minor version) "/"
> +                                  name "-" version ".tar.xz"))
> +              (sha256
> +               (base32
> +                "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s"))
> +              (patches (search-patches "util-linux-tests.patch"
> +                                       "util-linux-CVE-2018-7738.patch"))
> +              (modules '((guix build utils)))
> +              (snippet
> +               ;; We take the 'logger' program from GNU Inetutils and 'kill'
> +               ;; from GNU Coreutils.
> +               '(begin
> +                  (substitute* "configure"
> +                    (("build_logger=yes") "build_logger=no")
> +                    (("build_kill=yes") "build_kill=no"))
> +                  #t))))))

You can keep (inherit (package-source ...)) here to avoid duplicating
snippet, modules and method.  Apart from that LGTM.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

[bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.

[Ludovic Courtès]

Hi,

Marius Bakke <mbakke@fastmail.com> skribis:

> Leo Famulari <leo@famulari.name> writes:

[...]

>> From c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001
>> From: Leo Famulari <leo@famulari.name>
>> Date: Mon, 19 Mar 2018 17:13:26 -0400
>> Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting.
>>
>> * gnu/packages/linux.scm (util-linux)[replacement]: Remove field.
>> (util-linux-2.31.1): New variable.
>> * gnu/system.scm (%base-packages): Use util-linux-2.31.1.
>
> [...]
>   
>> -(define util-linux/fixed
>> +;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in
>> +;; the Bash completions for `mount`. Since this bug doesn't affect
>> +;; other programs that link against libraries from util-linux, we don't
>> +;; need to use a graft to make the fix available. Instead, users
>> +;; installing util-linux will get the fix in this newer version, and
>> +;; (@ (gnu system) %base-packages) takes care to use this package.
>> +;; This solution was suggested here:
>> +;; <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30827#13>
>> +(define-public util-linux-2.31.1
>>    (package
>>      (inherit util-linux)
>> -    (source
>> -      (origin
>> -        (inherit (package-source util-linux))
>> -        (patches (append (origin-patches (package-source util-linux))
>> -                         (search-patches "util-linux-CVE-2018-7738.patch")))))))
>> +    (name "util-linux")
>> +    ;; XXX Don't update this without also updating %base-packages!
>> +    (version "2.31.1")
>> +    (source (origin
>> +              (method url-fetch)
>> +              (uri (string-append "mirror://kernel.org/linux/utils/"
>> +                                  name "/v" (version-major+minor version) "/"
>> +                                  name "-" version ".tar.xz"))
>> +              (sha256
>> +               (base32
>> +                "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s"))
>> +              (patches (search-patches "util-linux-tests.patch"
>> +                                       "util-linux-CVE-2018-7738.patch"))
>> +              (modules '((guix build utils)))
>> +              (snippet
>> +               ;; We take the 'logger' program from GNU Inetutils and 'kill'
>> +               ;; from GNU Coreutils.
>> +               '(begin
>> +                  (substitute* "configure"
>> +                    (("build_logger=yes") "build_logger=no")
>> +                    (("build_kill=yes") "build_kill=no"))
>> +                  #t))))))
>
> You can keep (inherit (package-source ...)) here to avoid duplicating
> snippet, modules and method.  Apart from that LGTM.

Agreed.

Thank you!

Ludo’.

[bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 340 bytes --]

On Tue, Mar 20, 2018 at 09:47:02AM +0100, Ludovic Courtès wrote:
> Marius Bakke <mbakke@fastmail.com> skribis:
> > You can keep (inherit (package-source ...)) here to avoid duplicating
> > snippet, modules and method.  Apart from that LGTM.
> 
> Agreed.
> 
> Thank you!

Thanks, pushed as af23710ff522bb4e6cedf841c4fb977d96c9d8b3

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]