From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id kIinOs9kd2AW3QAAgWs5BA (envelope-from ) for ; Wed, 14 Apr 2021 23:55:27 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id 5elUNM9kd2DFDAAAbx9fmQ (envelope-from ) for ; Wed, 14 Apr 2021 21:55:27 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 80AD612D19 for ; Wed, 14 Apr 2021 23:55:26 +0200 (CEST) Received: from localhost ([::1]:48192 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lWnTp-0006sh-53 for larch@yhetil.org; Wed, 14 Apr 2021 17:55:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55420) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lWnTS-0006sN-Jt for bug-guix@gnu.org; Wed, 14 Apr 2021 17:55:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:52650) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lWnTS-0003cM-A3 for bug-guix@gnu.org; Wed, 14 Apr 2021 17:55:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lWnTS-00029k-60 for bug-guix@gnu.org; Wed, 14 Apr 2021 17:55:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47144: security patching of 'patch' package Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 14 Apr 2021 21:55:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47144 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Mark H Weaver Received: via spool by 47144-submit@debbugs.gnu.org id=B47144.16184372828254 (code B ref 47144); Wed, 14 Apr 2021 21:55:02 +0000 Received: (at 47144) by debbugs.gnu.org; 14 Apr 2021 21:54:42 +0000 Received: from localhost ([127.0.0.1]:35963 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lWnT8-000293-Fw for submit@debbugs.gnu.org; Wed, 14 Apr 2021 17:54:42 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:41109) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lWnT6-00028n-0R for 47144@debbugs.gnu.org; Wed, 14 Apr 2021 17:54:41 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 777C15C009E; Wed, 14 Apr 2021 17:54:34 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Wed, 14 Apr 2021 17:54:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=6f4axvg7upunPgsTJ1Ddy9PM rWm1KoqNYks/tTWjmZA=; b=O9gN0ex6+5NJza+gZcX32ZJwR3QmRmRoBfF71Y99 NWB0uXDZ42+qE5jtzRdhtWJWPNNxKEgvyyO/UETM4l1b5LXLYyqpCWQQupQZ4VVh JlvJlEtnFurRt/zAtMLNoJZRcHDLzk/KKbqCqCn1YKGh5EUE/b714DjhqPI0FSCA bzw= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=6f4axv g7upunPgsTJ1Ddy9PMrWm1KoqNYks/tTWjmZA=; b=m1v9ttJQPDsD2dElU0bL3Z +I5cwlsFR3gS/+sERLqN3U0csgeEMLGQ6XMRV9JSpVseT4jbDwufxJayBD1JapLO IFAf1bsmorVwCo14rMerJf6l7915bqUaNh4PI6X691k0mEOTAORjM7gDmMqEniW1 7cHtj9qDAwkuXUmmNLIsq5dzkAT0WKAU1By3IwpZMLu/SCnc/rKRGIKM69Ur8Mx5 QjmGQkLepp3UNckYYrgSrZU/zgfybPZe773ieaA12uSF5RS20lNMjszpCAYihiFv +1t5jGcwlqZFHKVUWMIlwMOOoCpSDTRwsd6vClELOEeoUyXJZdoK5WIhzjaEx1UA == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudelvddgtddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesthdtre dttddtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgr rhhirdhnrghmvgeqnecuggftrfgrthhtvghrnhepueekkedtffdvtddugeejgedtvefhue efiedvjeeitdeigedtveejvdejheffvefgnecukfhppedutddtrdduuddrudeiledruddu keenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvg hosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 1A7A01080057; Wed, 14 Apr 2021 17:54:34 -0400 (EDT) Date: Wed, 14 Apr 2021 17:54:28 -0400 From: Leo Famulari Message-ID: References: <6d01d537754ce50b10035903d8e7d205699c4b39.camel@zaclys.net> <877dm9s9fz.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <877dm9s9fz.fsf@netris.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 47144@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1618437327; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=6f4axvg7upunPgsTJ1Ddy9PMrWm1KoqNYks/tTWjmZA=; b=WuHkKMW3JxmqWckCQ4Tw5TEgCVZYYT3G6M6pvVOSZjPMIuBXThbX3U+GnTBooWqRXOttsJ uDon+2HyrjU0rqX9E1U5LmugW2V7Lq1I2vPGu0dcV+8TMPadfH+4EkDWQOsnIJhAJTenO9 r/nDA5zblZaLiiE6cNLtJPML0/BHP0ByoqrmOECV04aQ65YIceWNLzeFbiur6gCEfBnILx 0IiKJj5Y1nVPDfPnHAqaMpWahtb+EoMTAhAXgM+C0EI/yZLMBWTN23SAj0Ii69a6BIEqv/ mgdyzDlm0dYWwgG6xeA2ai6++BNkqfzwibKst5iLO5ZVBhPGzYYtqE8YWF2CTA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1618437327; a=rsa-sha256; cv=none; b=BnDieqfH+wUbgDcbpSZAPqpWfLwa8k/uxZ/iKPWNoi59CL+hMVbr9JeI19dZRAFOdjXWba 64OJKym3Uva9GkZUjh6aIKK0i0x3EEG9a4+0Lzs59WxGTDovzuzJkf0RsfRKW7MwUqMJGE 7KPXjM5foJJi+6qg2Mf+EWJGrPzmVF9p3d61+RIRIbcQz9WgMg1ksdb26CWHxNxOwO35o6 Jn58DEUX9iB5Qrc9+Rdao3AudignVW+G98Bj2YN9XLvDBC6eBaBe0ZBQs7Xr0lShmZA3Qj Cxz+EY6z25O50aEyAYJetHk7uyFTecxwqWDu7KO4qP1t5xNiIEk41qGYoNq1HA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=O9gN0ex6; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=m1v9ttJQ; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.44 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=O9gN0ex6; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=m1v9ttJQ; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 80AD612D19 X-Spam-Score: -1.44 X-Migadu-Scanner: scn0.migadu.com X-TUID: kSviU7oGUoIq On Sun, Mar 14, 2021 at 05:37:25PM -0400, Mark H Weaver wrote: > patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638, > CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE- > 2018-6952 I tried building a "fixed" package of patch, cherry-picking bug fix patches from patch.git. Unfortunately, the patches largely don't apply to the most recent release of patch. Since there is no release fixing these bugs, and no clear advice about which patches to apply, I'm going to stop working on this for now.