From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id cbfJK0w6SGC3QgAA0tVLHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 10 Mar 2021 03:17:32 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id QHw/J0w6SGBNLgAAB5/wlQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 10 Mar 2021 03:17:32 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 0F07CA843
	for <larch@yhetil.org>; Wed, 10 Mar 2021 04:17:32 +0100 (CET)
Received: from localhost ([::1]:33528 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1lJpLn-0003b2-4q
	for larch@yhetil.org; Tue, 09 Mar 2021 22:17:31 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:39420)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lJpJ1-0000JS-9K
 for guix-devel@gnu.org; Tue, 09 Mar 2021 22:14:39 -0500
Received: from mail.zaclys.net ([178.33.93.72]:59525)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lJpIz-0007u7-FG
 for guix-devel@gnu.org; Tue, 09 Mar 2021 22:14:38 -0500
Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38])
 (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12A3EaNY041752
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <guix-devel@gnu.org>; Wed, 10 Mar 2021 04:14:36 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12A3EaNY041752
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1615346076;
 bh=S/qI+2nTKUPX0YdrHMKENnYZWhu6s++fiuc9fmyoPj8=;
 h=Subject:From:To:Date:From;
 b=bJayR6t/xXhafC/5cHlJVGr+oBeVvFkNswTiwRGb1qCmkVGUMBtNKWhApqIdyk1xi
 oW5ZpifLLK5ZxRQ9FjEt9fulb59eBY/aup25K23Ead+ocgnNa5J/zaWtpO6X3eWq3U
 JGDcCmizyYkVr3sW5t2B0vbjUpCR47cUJZAlQaq0=
Message-ID: <6d01d537754ce50b10035903d8e7d205699c4b39.camel@zaclys.net>
Subject: security patching of 'patch' package
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Wed, 10 Mar 2021 04:14:35 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-gm3XYfc0kc+a97pNfSNN"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1615346252;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=S/qI+2nTKUPX0YdrHMKENnYZWhu6s++fiuc9fmyoPj8=;
	b=Ey2LRgeFL3vkKjlDszq9MGFQmWhNLRhqa4npQV8Ah3UirMXQqq4/Mxt0iSe+G5U3x65pu0
	DPLRv3Rvk8r1wZO9slDE0MBHpC8kgmPmjrHj7UBbGKObuJ+w68aRxXPxvF+orY/XfeyVCu
	VwoOF1HQGzjpJAnbp40jBuAilmVnj4BRSp8pCmp5l50fv6JHERmKrQ4K8zXVPTqmsAh1Ha
	73symX4stN8x51bKxrypzJV5/zg4zb1SK/o2d1myL8w8D+5htyzNbv1oWFJ+J6ablbFWOG
	dTBNZf/YQtxxmkzs5B5zYkLgJkDG2uiS2W1yd6PwxA26XzHNi76W+5Asoc2GhA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615346252; a=rsa-sha256; cv=none;
	b=UU4JMMsTy87kG/TSzoRXiduwR9rT8mWaNKCXE+hJgAkCg/rQ5mrfN1ewWJ3h0Xuq8WmAX0
	n6XXowJh3w8N1tfWljkbUXekCcG9kKdLORHPeE2gvo5cfrQ3A+buAMPEvGOK35hZ2XJjbS
	E0efBwTS0A7TaBSJcxLhpxaDRxKJ5G3kRi892zVr2pvH2KRkYdDPZtiP67LjxGUFckwDz3
	FNLZQ2x+zA3sH67ROC7cJceWNN8uY79LiQmNo6M517gJncxteqfGj2XX1htI0NPp6yNxrb
	DSDvdWgeqKANPGc7FNHFiwO7Ticzu2NPpDXqvvOGK/3ugg89m1uiV7AZx5itHw==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=zaclys.net header.s=default header.b="bJayR6t/";
	dmarc=pass (policy=reject) header.from=zaclys.net;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Spam-Score: -5.18
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=zaclys.net header.s=default header.b="bJayR6t/";
	dmarc=pass (policy=reject) header.from=zaclys.net;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Queue-Id: 0F07CA843
X-Spam-Score: -5.18
X-Migadu-Scanner: scn1.migadu.com
X-TUID: c7acIZAeqNtX


--=-gm3XYfc0kc+a97pNfSNN
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello!

I could find that the 'patch' package was vulnerable to numerous CVEs
that other distros like Debian have patched. Here's the list reported
by 'guix lint -c cve patch':

patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
2018-6952

Can I use latest commit from master to build 'patch' then graft
original package?

i.e. https://git.savannah.gnu.org/git/patch.git

There's not that many commits since last release, but lots of time:=20
https://git.savannah.gnu.org/cgit/patch.git/log/

Thank you,
L=C3=A9o

--=-gm3XYfc0kc+a97pNfSNN
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBIOZsACgkQRaix6GvN
EKYVKhAAmQbS0q6xgmoC5Eo+T4qYiLrg6EfUMicYO9I1LBDFGfp85XIMjqAtIkiD
2B1XJLzXY7xZheiKBYLjppuq5XHXGMQ80JZi0lQEuoMh0+1DTcvvI0Ugtydjxvas
C9DTlhNTFxm368W7qxYR2JttsUstyweVz27DPY9O62QRUnyHRsJvQXLSI/CHWXFI
3DiXzjjBXowsCu9af69fIzBCBQ6B0QvknryHnix1AeVnSfu/0SM7Bimy5AKOnjkN
cjnHQr5Mc+FIVdOu/pzgNoVmwczVhyu/A8nReYIiePGTMa+CpuEr/Vrexqc3npcX
jYzo4P+d/PRdALGgdOlGMDdlAr3ZVHhS9P5agQe9Q3YeJVVSZzwH6TzFT+0KrENy
2HoM+zKNBE8qVLMuDH9AaZ7XrZyJJDomuDm927ojaSnS0sq0nbzzLWkSNGnL+hXj
5NFCm/QClGySc9DMuZWc76nxn02BTykiKXC03P/GfMJ3B97Lev51h5oEi4TlKsRh
jlMwJBaYp8h6FP6EDJLc8ahaIKN8aooquutFOUXn+IGBmYY1uXTO0V0UJqVz131J
GdmH4SnVqWtCbiKCVLSguAthS6EwSq0EAzEaeUVmi18YA++gOp6N+FQSmjpRkRwX
jVwtTmzYoL/yKx28CoPapFK7pa3ekB0W43nw4/Eb68qpbvlpXxI=
=cESP
-----END PGP SIGNATURE-----

--=-gm3XYfc0kc+a97pNfSNN--