From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Handling =?utf-8?B?4oCYZmlsZeKAmQ==?= CVE Date: Thu, 13 Nov 2014 21:43:04 +0100 Message-ID: <87zjbu4ysn.fsf@gnu.org> References: <87389nl6wi.fsf@gnu.org> <87mw7vhwgz.fsf@gnu.org> <87egt7f052.fsf@yeeloong.lan> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:57047) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xp1EX-00044y-Ku for guix-devel@gnu.org; Thu, 13 Nov 2014 15:43:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Xp1ER-00029H-6T for guix-devel@gnu.org; Thu, 13 Nov 2014 15:43:13 -0500 Received: from hera.aquilenet.fr ([2a01:474::1]:55135) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xp1EQ-000296-O3 for guix-devel@gnu.org; Thu, 13 Nov 2014 15:43:07 -0500 In-Reply-To: <87egt7f052.fsf@yeeloong.lan> (Mark H. Weaver's message of "Thu, 13 Nov 2014 13:03:53 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Mark H Weaver Cc: Guix-devel --=-=-= Content-Type: text/plain Mark H Weaver skribis: > FWIW, I think it would be better for 'file' to be bound to the fixed > package, and to add a 'file/fixed' that points to the old buggy one. > Then 'file/fixed' could be used in some selected places. > > 'file' is used as a plain input (as opposed to native-input) in several > places that make me a bit nervous, e.g. the 'transmission' bittorrent > client (is 'file' being used at runtime on downloaded files?), and also > 'aegis', 'quilt', and 'cmake'. This script helps determine this: --=-=-= Content-Type: text/plain Content-Disposition: inline; filename=things-using-file.scm Content-Description: the script (use-modules (guix) (gnu) (gnu packages file) (ice-9 match) (srfi srfi-1) (srfi srfi-26)) (define (file-input? inputs) (find (match-lambda ((label (? package? p) . _) (eq? p file)) (_ #f)) inputs)) (define (packages-using-file) (fold-packages (lambda (package result) (if (or (file-input? (package-inputs package)) (file-input? (package-propagated-inputs package))) (cons package result) result)) '())) (define (has-runtime-dependency-on-file? package) (with-store store (let* ((file (package-full-name file)) (drv (package-derivation store package)) (outs (map cdr (derivation->output-paths drv))) (info (substitutable-path-info store outs))) (find (lambda (info) (find (cut string-suffix? file <>) (substitutable-references info))) info)))) (define (packages-with-runtime-dependency-on-file) (filter has-runtime-dependency-on-file? (packages-using-file))) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable The result is: --8<---------------cut here---------------start------------->8--- scheme@(guile-user)> (packages-with-runtime-dependency-on-file) $8 =3D (# #) --8<---------------cut here---------------end--------------->8--- These two packages are leaves, so it=E2=80=99s fine to change them to use t= he fixed =E2=80=98file=E2=80=99. Done in 351d690. > Finally, 'file' is a propagated-input for 'intltool', which means that > if anyone installs 'intltool' in their profile, they will have the buggy > 'file' in their PATH. This one is more problematic. We can try to apply Eric=E2=80=99s patch, but that=E2=80=99s a lot of rebuild. Thanks for the analysis, Ludo=E2=80=99. --=-=-=--