GNU bug report logs -
#47144
security patching of 'patch' package
Previous Next
To reply to this bug, email your comments to 47144 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#47144; Package
guix.
(Sun, 14 Mar 2021 21:39:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Mark H Weaver <mhw <at> netris.org>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sun, 14 Mar 2021 21:39:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I'm forwarding this to bug-guix <at> gnu.org so that it won't be forgotten.
Mark
-------------------- Start of forwarded message --------------------
Subject: security patching of 'patch' package
From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: guix-devel <at> gnu.org
Date: Wed, 10 Mar 2021 04:14:35 +0100
[Message part 2 (text/plain, inline)]
Hello!
I could find that the 'patch' package was vulnerable to numerous CVEs
that other distros like Debian have patched. Here's the list reported
by 'guix lint -c cve patch':
patch <at> 2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
2018-6952
Can I use latest commit from master to build 'patch' then graft
original package?
i.e. https://git.savannah.gnu.org/git/patch.git
There's not that many commits since last release, but lots of time:
https://git.savannah.gnu.org/cgit/patch.git/log/
Thank you,
Léo
[signature.asc (application/pgp-signature, inline)]
[Message part 4 (text/plain, inline)]
-------------------- End of forwarded message --------------------
Added tag(s) security.
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Mon, 15 Mar 2021 13:44:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#47144; Package
guix.
(Mon, 15 Mar 2021 18:27:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 47144 <at> debbugs.gnu.org (full text, mbox):
I tried something, using patch git repo's master instead of release tarballs, I
am not sure the git repo contains all the fixes, we could alternatively just
pull patches from Debian.
This attempt does not work yet however, it fails on some gnulib source file not
being found for some reason:
gcc: error: parse-datetime.c: No such file or directory
gcc: fatal error: no input files
compilation terminated.
This file seems to be generated by YACC from earlier log.
Léo Le Bouter (1):
gnu: patch: Update to 2.7.6-7623b2d [security fixes].
gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
--
2.30.2
Information forwarded
to
bug-guix <at> gnu.org:
bug#47144; Package
guix.
(Mon, 15 Mar 2021 18:27:03 GMT)
Full text and
rfc822 format available.
Message #13 received at 47144 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/base.scm (patch/fixed): New variable.
(patch)[replacement]: Graft.
---
gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 9aa69cfe77..a71b47ac4f 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -46,12 +46,14 @@
#:use-module (gnu packages compression)
#:use-module (gnu packages perl)
#:use-module (gnu packages linux)
+ #:use-module (gnu packages autotools)
#:use-module (gnu packages pcre)
#:use-module (gnu packages texinfo)
#:use-module (gnu packages hurd)
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages python)
#:use-module (gnu packages gettext)
+ #:use-module (gnu packages version-control)
#:use-module (guix i18n)
#:use-module (guix utils)
#:use-module (guix packages)
@@ -228,6 +230,7 @@ standard utility.")
(base32
"1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
(patches (search-patches "patch-hurd-path-max.patch"))))
+ (replacement patch/fixed)
(build-system gnu-build-system)
(arguments
;; Work around a cross-compilation bug whereby libpatch.a would provide
@@ -246,6 +249,42 @@ differences.")
(license gpl3+)
(home-page "https://savannah.gnu.org/projects/patch/")))
+(define patch/fixed
+ (let ((commit "7623b2dc0d1837ecfd58f32efc78e35834deeb38"))
+ (package/inherit patch
+ (name "patch")
+ (version "2.7.6")
+ ;; (version (string-append "2.7.6-" (string-take commit 7)))
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://git.savannah.gnu.org/git/patch.git")
+ (commit commit)
+ (recursive? #t)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "0k3i95gkbi21lipadlg1zd03d928b65x322q08xgdg461vnw2i6h"))
+ (patches (search-patches "patch-hurd-path-max.patch"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments patch)
+ ((#:phases phases '%standard-phases)
+ `(modify-phases ,phases
+ (replace 'bootstrap
+ (lambda* (#:key inputs #:allow-other-keys)
+ (substitute* (list "gnulib/gnulib-tool"
+ "gnulib/build-aux/git-version-gen")
+ (("/bin/sh") (which "sh")))
+ (invoke "bash" "bootstrap" "--no-git"
+ "--gnulib-srcdir=gnulib")
+ #t))))))
+ (native-inputs
+ `(("autoconf" ,autoconf)
+ ("automake" ,automake)
+ ("git" ,git-minimal)
+ ,@(package-native-inputs patch))))))
+
(define-public diffutils
(package
(name "diffutils")
--
2.30.2
Information forwarded
to
bug-guix <at> gnu.org:
bug#47144; Package
guix.
(Thu, 18 Mar 2021 22:00:02 GMT)
Full text and
rfc822 format available.
Message #16 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi,
Léo Le Bouter via Bug reports for GNU Guix <bug-guix <at> gnu.org> skribis:
> * gnu/packages/base.scm (patch/fixed): New variable.
> (patch)[replacement]: Graft.
It’s (almost) useless to provide a graft of ‘patch’ because patch is
usually a build-time only dependency. (Maybe we can tell it’s not
vulnerable to the issues at hand because in that context it’s always
given controlled input: the package patches.)
What could be useful is to provide a second version of patch so that
people running ‘guix install patch’ or similar get the newer version.
HTH,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#47144; Package
guix.
(Thu, 18 Mar 2021 22:00:02 GMT)
Full text and
rfc822 format available.
Added indication that bug 47144 blocks47297
Request was from
Leo Famulari <leo <at> famulari.name>
to
control <at> debbugs.gnu.org.
(Wed, 24 Mar 2021 04:07:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#47144; Package
guix.
(Wed, 14 Apr 2021 21:55:02 GMT)
Full text and
rfc822 format available.
Message #24 received at 47144 <at> debbugs.gnu.org (full text, mbox):
On Sun, Mar 14, 2021 at 05:37:25PM -0400, Mark H Weaver wrote:
> patch <at> 2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
> CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
> 2018-6952
I tried building a "fixed" package of patch, cherry-picking bug fix
patches from patch.git.
Unfortunately, the patches largely don't apply to the most recent
release of patch.
Since there is no release fixing these bugs, and no clear advice about
which patches to apply, I'm going to stop working on this for now.
Removed indication that bug 47144 blocks
Request was from
Leo Famulari <leo <at> famulari.name>
to
control <at> debbugs.gnu.org.
(Wed, 14 Apr 2021 21:56:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#47144; Package
guix.
(Wed, 23 Mar 2022 03:04:01 GMT)
Full text and
rfc822 format available.
Message #29 received at 47144 <at> debbugs.gnu.org (full text, mbox):
Hi,
Ludovic Courtès <ludo <at> gnu.org> writes:
> Hi,
>
> Léo Le Bouter via Bug reports for GNU Guix <bug-guix <at> gnu.org> skribis:
>
>> * gnu/packages/base.scm (patch/fixed): New variable.
>> (patch)[replacement]: Graft.
>
> It’s (almost) useless to provide a graft of ‘patch’ because patch is
> usually a build-time only dependency. (Maybe we can tell it’s not
> vulnerable to the issues at hand because in that context it’s always
> given controlled input: the package patches.)
>
> What could be useful is to provide a second version of patch so that
> people running ‘guix install patch’ or similar get the newer version.
The latest release of patch is the one we have, v2.7.6, made 4 years
ago.
Thanks,
Maxim
This bug report was last modified 2 years and 35 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.