* [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.
@ 2018-03-15 17:58 Leo Famulari
2018-03-16 14:13 ` Marius Bakke
2018-03-19 9:15 ` Ludovic Courtès
0 siblings, 2 replies; 8+ messages in thread
From: Leo Famulari @ 2018-03-15 17:58 UTC (permalink / raw)
To: 30827
* gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/linux.scm (util-linux)[replacement]: New field.
(util-linux/fixed): New variable.
---
gnu/local.mk | 1 +
gnu/packages/linux.scm | 10 +++++
.../patches/util-linux-CVE-2018-7738.patch | 49 ++++++++++++++++++++++
3 files changed, 60 insertions(+)
create mode 100644 gnu/packages/patches/util-linux-CVE-2018-7738.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 69e4d2b7b..788b260e5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1135,6 +1135,7 @@ dist_patch_DATA = \
%D%/packages/patches/unzip-overflow-long-fsize.patch \
%D%/packages/patches/unzip-remove-build-date.patch \
%D%/packages/patches/ustr-fix-build-with-gcc-5.patch \
+ %D%/packages/patches/util-linux-CVE-2018-7738.patch \
%D%/packages/patches/util-linux-tests.patch \
%D%/packages/patches/upower-builddir.patch \
%D%/packages/patches/valgrind-enable-arm.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index b81cb55d6..0c7642201 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -547,6 +547,7 @@ providing the system administrator with some help in common tasks.")
(define-public util-linux
(package
(name "util-linux")
+ (replacement util-linux/fixed)
(version "2.31")
(source (origin
(method url-fetch)
@@ -634,6 +635,15 @@ block devices, UUIDs, TTYs, and many other tools.")
(license (list license:gpl3+ license:gpl2+ license:gpl2 license:lgpl2.0+
license:bsd-4 license:public-domain))))
+(define util-linux/fixed
+ (package
+ (inherit util-linux)
+ (source
+ (origin
+ (inherit (package-source util-linux))
+ (patches (append (origin-patches (package-source util-linux))
+ (search-patches "util-linux-CVE-2018-7738.patch")))))))
+
(define-public ddate
(package
(name "ddate")
diff --git a/gnu/packages/patches/util-linux-CVE-2018-7738.patch b/gnu/packages/patches/util-linux-CVE-2018-7738.patch
new file mode 100644
index 000000000..080e2f56b
--- /dev/null
+++ b/gnu/packages/patches/util-linux-CVE-2018-7738.patch
@@ -0,0 +1,49 @@
+Fix CVE-2018-7738:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738
+
+Patch copied from upstream source repository:
+
+https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55
+
+From 75f03badd7ed9f1dd951863d75e756883d3acc55 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 16 Nov 2017 16:27:32 +0100
+Subject: [PATCH] bash-completion: (umount) use findmnt, escape a space in
+ paths
+
+ # mount /dev/sdc1 /mnt/test/foo\ bar
+ # umount <tab>
+
+has to return "/mnt/test/foo\ bar".
+
+Changes:
+
+ * don't use mount | awk output, we have findmnt
+ * force compgen use \n as entries separator
+
+Addresses: https://github.com/karelzak/util-linux/issues/539
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ bash-completion/umount | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/bash-completion/umount b/bash-completion/umount
+index d76cb9fff..98c90d61a 100644
+--- a/bash-completion/umount
++++ b/bash-completion/umount
+@@ -40,9 +40,10 @@ _umount_module()
+ return 0
+ ;;
+ esac
+- local DEVS_MPOINTS
+- DEVS_MPOINTS="$(mount | awk '{print $1, $3}')"
+- COMPREPLY=( $(compgen -W "$DEVS_MPOINTS" -- $cur) )
+- return 0
++
++ local oldifs=$IFS
++ IFS=$'\n'
++ COMPREPLY=( $( compgen -W '$(findmnt -lno TARGET | sed "s/\([[:blank:]]\)/\\\\\1/g")' -- "$cur" ) )
++ IFS=$oldifs
+ }
+ complete -F _umount_module umount
--
2.16.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.
2018-03-15 17:58 [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738 Leo Famulari
@ 2018-03-16 14:13 ` Marius Bakke
2018-03-19 9:15 ` Ludovic Courtès
1 sibling, 0 replies; 8+ messages in thread
From: Marius Bakke @ 2018-03-16 14:13 UTC (permalink / raw)
To: Leo Famulari, 30827
[-- Attachment #1: Type: text/plain, Size: 269 bytes --]
Leo Famulari <leo@famulari.name> writes:
> * gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/linux.scm (util-linux)[replacement]: New field.
> (util-linux/fixed): New variable.
LGTM, thanks!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.
2018-03-15 17:58 [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738 Leo Famulari
2018-03-16 14:13 ` Marius Bakke
@ 2018-03-19 9:15 ` Ludovic Courtès
2018-03-19 20:52 ` Leo Famulari
2018-03-19 22:15 ` Leo Famulari
1 sibling, 2 replies; 8+ messages in thread
From: Ludovic Courtès @ 2018-03-19 9:15 UTC (permalink / raw)
To: Leo Famulari; +Cc: 30827
Hello!
Leo Famulari <leo@famulari.name> skribis:
> * gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/linux.scm (util-linux)[replacement]: New field.
> (util-linux/fixed): New variable.
[...]
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738
> +
> +Patch copied from upstream source repository:
> +
> +https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55
I’m late to the party, but I’m wondering in this case if, instead of
grafting, we should simply add an util-linux@2.31a package, and make
sure GuixSD uses that one in %base-packages.
That way, both GuixSD and manually installed util-linux would get the
Bash completion fix. It’s probably OK that packages that depend on
util-linux don’t get the fixed version because users don’t get bash
completion from there.
WDYT?
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.
2018-03-19 9:15 ` Ludovic Courtès
@ 2018-03-19 20:52 ` Leo Famulari
2018-03-19 22:15 ` Leo Famulari
1 sibling, 0 replies; 8+ messages in thread
From: Leo Famulari @ 2018-03-19 20:52 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 30827
[-- Attachment #1: Type: text/plain, Size: 1110 bytes --]
On Mon, Mar 19, 2018 at 10:15:22AM +0100, Ludovic Courtès wrote:
> Hello!
>
> Leo Famulari <leo@famulari.name> skribis:
>
> > * gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/linux.scm (util-linux)[replacement]: New field.
> > (util-linux/fixed): New variable.
>
> [...]
>
> > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738
> > +
> > +Patch copied from upstream source repository:
> > +
> > +https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55
>
> I’m late to the party, but I’m wondering in this case if, instead of
> grafting, we should simply add an util-linux@2.31a package, and make
> sure GuixSD uses that one in %base-packages.
>
> That way, both GuixSD and manually installed util-linux would get the
> Bash completion fix. It’s probably OK that packages that depend on
> util-linux don’t get the fixed version because users don’t get bash
> completion from there.
>
> WDYT?
That's a good idea. I'll test and push today.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.
2018-03-19 9:15 ` Ludovic Courtès
2018-03-19 20:52 ` Leo Famulari
@ 2018-03-19 22:15 ` Leo Famulari
2018-03-20 1:23 ` Marius Bakke
1 sibling, 1 reply; 8+ messages in thread
From: Leo Famulari @ 2018-03-19 22:15 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 30827
[-- Attachment #1.1: Type: text/plain, Size: 571 bytes --]
On Mon, Mar 19, 2018 at 10:15:22AM +0100, Ludovic Courtès wrote:
> I’m late to the party, but I’m wondering in this case if, instead of
> grafting, we should simply add an util-linux@2.31a package, and make
> sure GuixSD uses that one in %base-packages.
>
> That way, both GuixSD and manually installed util-linux would get the
> Bash completion fix. It’s probably OK that packages that depend on
> util-linux don’t get the fixed version because users don’t get bash
> completion from there.
>
> WDYT?
What do you think of the attached patch?
[-- Attachment #1.2: 0001-gnu-util-linux-Fix-CVE-2018-7738-without-grafting.patch --]
[-- Type: text/plain, Size: 4240 bytes --]
From c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Mon, 19 Mar 2018 17:13:26 -0400
Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting.
* gnu/packages/linux.scm (util-linux)[replacement]: Remove field.
(util-linux-2.31.1): New variable.
* gnu/system.scm (%base-packages): Use util-linux-2.31.1.
---
gnu/packages/linux.scm | 40 ++++++++++++++++++++++++++++++++--------
gnu/system.scm | 2 +-
2 files changed, 33 insertions(+), 9 deletions(-)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index b586c29d0..710b39bbd 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -19,7 +19,7 @@
;;; Copyright © 2016 Rene Saavedra <rennes@openmailbox.org>
;;; Copyright © 2016 Carlos Sánchez de La Lama <csanchezdll@gmail.com>
;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
-;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017, 2018 Leo Famulari <leo@famulari.name>
;;; Copyright © 2017 José Miguel Sánchez García <jmi2k@openmailbox.com>
;;; Copyright © 2017 Gábor Boskovits <boskovits@gmail.com>
;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
@@ -547,7 +547,6 @@ providing the system administrator with some help in common tasks.")
(define-public util-linux
(package
(name "util-linux")
- (replacement util-linux/fixed)
(version "2.31")
(source (origin
(method url-fetch)
@@ -635,14 +634,39 @@ block devices, UUIDs, TTYs, and many other tools.")
(license (list license:gpl3+ license:gpl2+ license:gpl2 license:lgpl2.0+
license:bsd-4 license:public-domain))))
-(define util-linux/fixed
+;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in
+;; the Bash completions for `mount`. Since this bug doesn't affect
+;; other programs that link against libraries from util-linux, we don't
+;; need to use a graft to make the fix available. Instead, users
+;; installing util-linux will get the fix in this newer version, and
+;; (@ (gnu system) %base-packages) takes care to use this package.
+;; This solution was suggested here:
+;; <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30827#13>
+(define-public util-linux-2.31.1
(package
(inherit util-linux)
- (source
- (origin
- (inherit (package-source util-linux))
- (patches (append (origin-patches (package-source util-linux))
- (search-patches "util-linux-CVE-2018-7738.patch")))))))
+ (name "util-linux")
+ ;; XXX Don't update this without also updating %base-packages!
+ (version "2.31.1")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "mirror://kernel.org/linux/utils/"
+ name "/v" (version-major+minor version) "/"
+ name "-" version ".tar.xz"))
+ (sha256
+ (base32
+ "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s"))
+ (patches (search-patches "util-linux-tests.patch"
+ "util-linux-CVE-2018-7738.patch"))
+ (modules '((guix build utils)))
+ (snippet
+ ;; We take the 'logger' program from GNU Inetutils and 'kill'
+ ;; from GNU Coreutils.
+ '(begin
+ (substitute* "configure"
+ (("build_logger=yes") "build_logger=no")
+ (("build_kill=yes") "build_kill=no"))
+ #t))))))
(define-public ddate
(package
diff --git a/gnu/system.scm b/gnu/system.scm
index eb4b63c42..0e647356c 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -515,7 +515,7 @@ explicitly appear in OS."
;; required for basic administrator tasks.
(cons* procps psmisc which less zile nano
pciutils usbutils
- util-linux inetutils isc-dhcp
+ util-linux-2.31.1 inetutils isc-dhcp
(@ (gnu packages admin) shadow) ;for 'passwd'
;; wireless-tools is deprecated in favor of iw, but it's still what
--
2.16.2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.
2018-03-19 22:15 ` Leo Famulari
@ 2018-03-20 1:23 ` Marius Bakke
2018-03-20 8:47 ` Ludovic Courtès
0 siblings, 1 reply; 8+ messages in thread
From: Marius Bakke @ 2018-03-20 1:23 UTC (permalink / raw)
To: Leo Famulari, Ludovic Courtès; +Cc: 30827
[-- Attachment #1: Type: text/plain, Size: 3179 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Mon, Mar 19, 2018 at 10:15:22AM +0100, Ludovic Courtès wrote:
>> I’m late to the party, but I’m wondering in this case if, instead of
>> grafting, we should simply add an util-linux@2.31a package, and make
>> sure GuixSD uses that one in %base-packages.
>>
>> That way, both GuixSD and manually installed util-linux would get the
>> Bash completion fix. It’s probably OK that packages that depend on
>> util-linux don’t get the fixed version because users don’t get bash
>> completion from there.
>>
>> WDYT?
>
> What do you think of the attached patch?
> From c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Mon, 19 Mar 2018 17:13:26 -0400
> Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting.
>
> * gnu/packages/linux.scm (util-linux)[replacement]: Remove field.
> (util-linux-2.31.1): New variable.
> * gnu/system.scm (%base-packages): Use util-linux-2.31.1.
[...]
> -(define util-linux/fixed
> +;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in
> +;; the Bash completions for `mount`. Since this bug doesn't affect
> +;; other programs that link against libraries from util-linux, we don't
> +;; need to use a graft to make the fix available. Instead, users
> +;; installing util-linux will get the fix in this newer version, and
> +;; (@ (gnu system) %base-packages) takes care to use this package.
> +;; This solution was suggested here:
> +;; <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30827#13>
> +(define-public util-linux-2.31.1
> (package
> (inherit util-linux)
> - (source
> - (origin
> - (inherit (package-source util-linux))
> - (patches (append (origin-patches (package-source util-linux))
> - (search-patches "util-linux-CVE-2018-7738.patch")))))))
> + (name "util-linux")
> + ;; XXX Don't update this without also updating %base-packages!
> + (version "2.31.1")
> + (source (origin
> + (method url-fetch)
> + (uri (string-append "mirror://kernel.org/linux/utils/"
> + name "/v" (version-major+minor version) "/"
> + name "-" version ".tar.xz"))
> + (sha256
> + (base32
> + "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s"))
> + (patches (search-patches "util-linux-tests.patch"
> + "util-linux-CVE-2018-7738.patch"))
> + (modules '((guix build utils)))
> + (snippet
> + ;; We take the 'logger' program from GNU Inetutils and 'kill'
> + ;; from GNU Coreutils.
> + '(begin
> + (substitute* "configure"
> + (("build_logger=yes") "build_logger=no")
> + (("build_kill=yes") "build_kill=no"))
> + #t))))))
You can keep (inherit (package-source ...)) here to avoid duplicating
snippet, modules and method. Apart from that LGTM.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738.
2018-03-20 1:23 ` Marius Bakke
@ 2018-03-20 8:47 ` Ludovic Courtès
2018-03-20 21:17 ` Leo Famulari
0 siblings, 1 reply; 8+ messages in thread
From: Ludovic Courtès @ 2018-03-20 8:47 UTC (permalink / raw)
To: Marius Bakke; +Cc: 30827
Hi,
Marius Bakke <mbakke@fastmail.com> skribis:
> Leo Famulari <leo@famulari.name> writes:
[...]
>> From c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001
>> From: Leo Famulari <leo@famulari.name>
>> Date: Mon, 19 Mar 2018 17:13:26 -0400
>> Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting.
>>
>> * gnu/packages/linux.scm (util-linux)[replacement]: Remove field.
>> (util-linux-2.31.1): New variable.
>> * gnu/system.scm (%base-packages): Use util-linux-2.31.1.
>
> [...]
>
>> -(define util-linux/fixed
>> +;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in
>> +;; the Bash completions for `mount`. Since this bug doesn't affect
>> +;; other programs that link against libraries from util-linux, we don't
>> +;; need to use a graft to make the fix available. Instead, users
>> +;; installing util-linux will get the fix in this newer version, and
>> +;; (@ (gnu system) %base-packages) takes care to use this package.
>> +;; This solution was suggested here:
>> +;; <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30827#13>
>> +(define-public util-linux-2.31.1
>> (package
>> (inherit util-linux)
>> - (source
>> - (origin
>> - (inherit (package-source util-linux))
>> - (patches (append (origin-patches (package-source util-linux))
>> - (search-patches "util-linux-CVE-2018-7738.patch")))))))
>> + (name "util-linux")
>> + ;; XXX Don't update this without also updating %base-packages!
>> + (version "2.31.1")
>> + (source (origin
>> + (method url-fetch)
>> + (uri (string-append "mirror://kernel.org/linux/utils/"
>> + name "/v" (version-major+minor version) "/"
>> + name "-" version ".tar.xz"))
>> + (sha256
>> + (base32
>> + "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s"))
>> + (patches (search-patches "util-linux-tests.patch"
>> + "util-linux-CVE-2018-7738.patch"))
>> + (modules '((guix build utils)))
>> + (snippet
>> + ;; We take the 'logger' program from GNU Inetutils and 'kill'
>> + ;; from GNU Coreutils.
>> + '(begin
>> + (substitute* "configure"
>> + (("build_logger=yes") "build_logger=no")
>> + (("build_kill=yes") "build_kill=no"))
>> + #t))))))
>
> You can keep (inherit (package-source ...)) here to avoid duplicating
> snippet, modules and method. Apart from that LGTM.
Agreed.
Thank you!
Ludo’.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2018-03-20 21:18 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-03-15 17:58 [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738 Leo Famulari
2018-03-16 14:13 ` Marius Bakke
2018-03-19 9:15 ` Ludovic Courtès
2018-03-19 20:52 ` Leo Famulari
2018-03-19 22:15 ` Leo Famulari
2018-03-20 1:23 ` Marius Bakke
2018-03-20 8:47 ` Ludovic Courtès
2018-03-20 21:17 ` Leo Famulari
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.