GNU bug report logs - #31444
'guix health': a tool to report vulnerable packages

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix-patches; Reported by: ludo@HIDDEN (Ludovic Courtès); Keywords: patch; merged with #31442, #31443; dated Sun, 13 May 2018 22:43:02 UTC; Maintainer for guix-patches is guix-patches@HIDDEN.
Merged 31442 31443 31444. Request was from ludo@HIDDEN (Ludovic Courtès) to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 14 May 2018 08:07:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 14 04:07:15 2018
Received: from localhost ([127.0.0.1]:33154 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fI8Vn-00077G-5w
	for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:07:15 -0400
Received: from eggs.gnu.org ([208.118.235.92]:42377)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <castilma@HIDDEN>) id 1fI8Vj-000772-Bg
 for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:07:11 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <castilma@HIDDEN>) id 1fI8Vd-0005oH-GM
 for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:07:06 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:52548)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <castilma@HIDDEN>)
 id 1fI8Vd-0005o5-Ae
 for submit <at> debbugs.gnu.org; Mon, 14 May 2018 04:07:05 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33343)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <castilma@HIDDEN>) id 1fI8Vc-00066r-35
 for guix-patches@HIDDEN; Mon, 14 May 2018 04:07:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <castilma@HIDDEN>) id 1fI8VY-0005ij-Uu
 for guix-patches@HIDDEN; Mon, 14 May 2018 04:07:04 -0400
Received: from gabriel-vm-2.zfn.uni-bremen.de ([134.102.50.10]:48514
 helo=smtp.uni-bremen.de)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <castilma@HIDDEN>)
 id 1fI8VY-0005ac-FX
 for guix-patches@HIDDEN; Mon, 14 May 2018 04:07:00 -0400
Received: from [192.168.42.241] (ip4d171518.dynamic.kabel-deutschland.de
 [77.23.21.24])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by smtp.uni-bremen.de (Postfix) with ESMTPSA id 46CC8242EC
 for <guix-patches@HIDDEN>; Mon, 14 May 2018 10:06:52 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=uni-bremen.de; s=dkim;
 t=1526285212; bh=w/wmQuYtOnm0IS2kWim+N4lUwMVWxdHBjaVi1/8G6jk=;
 h=To:References:From:Date:In-Reply-To;
 b=JP6PdNR6WmCGxh03tTOKzqsYDCFGHCc49OKu6HM/oIajzQ3V4iyGq9z9CucyC65VO
 CqCdvQl7as5W6QVOUWCmawu1jTgTN5pEAA5UHpA2Axh/LeKOM1hBlngEwrRthzM3GW
 ooGi7QCS2pOL+BZ/EhhdvYxF/wzjJpMULXAFv1+8=
Subject: Re: [bug#31444] 'guix health': a tool to report vulnerable packages
To: guix-patches@HIDDEN
References: <87fu2vjj76.fsf@HIDDEN>
From: Martin Castillo <castilma@HIDDEN>
Openpgp: preference=signencrypt
Autocrypt: addr=castilma@HIDDEN; prefer-encrypt=mutual; keydata=
 xsBNBFXp3VwBCACz5FpcoKuJTL5fndn8CSApG22k/Tmpy2hur38IQKAeIFlk82Z4tvrConIM
 31JeFulbBXIxHyiW6Y3358YUPe1FLnG6x3bzO0Dlhb72cgb1KZtrrfNE4tahjPTzBaTqwuvg
 O2OOAwDhHDv1OyBz/7wS4yUiEoNmjHYMieu7kzGnC4w3sjNESDYKoKqoNN1bx4XZMNPnUG1D
 +p5IOfhRD3fIMEJcnkIjQmR0mKLdlCZmpH7rYDbqg/aF7n0RsDoJ8dAVxLTKMG0HB7w5hI37
 9nJfcIziTfmyd8QM2TN7nEDokRqUMs5jXohzScyo4AL8/dKxPMgJih+muGbTMvbvLmdbABEB
 AAHNLE1hcnRpbiBDYXN0aWxsbyA8TWFydGluLkNhc3RpbGxvQGZyZWVuZXQuZGU+wsCBBBMB
 AgArAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUJENTBQQUCWZY2KwIZAQAKCRDME0jx
 5kQI7HbJB/9W6FpUV8SjrRLntlboZAhxoK/myrQCDWCk3yHJtHJGTabaEx44Ti7AaRm54O5W
 LORmlmL3ck+ReNzrR8u/xIVZ/gCRdt+GnEtDwm5FLZjRXbbaTFovlOQWLu0IW1iUllizGV7F
 aHjPdBoWjkLLLMA9aHDtfkzAxO4qlQZvjXSKvJHGp05AlPuPmtfqNSIXH0bh9rxOmKDMCj8J
 rHtnDzyVjzjBaakNYoQS+DNvjzLkzvcBZZ6Q99d/O0w5esRCaqAKFzSilxFT85Q8gpWIqLkP
 h9ylQ0HxjB03bQqQzV9BpVQ+Qv4Ovf+K9yptTUANxD3xY70RHzeQNvrS3FV3mKjPzsBNBFXp
 3VwBCADTmylgxDM50a78oW4RJYuDRPq1nDj0R5Kw7SvmH3Du00jy+Mo2I6+4fKGogLEKH+HS
 gn9iSZFX09scxQEcQuZk0j+fAcbdY4gEBZpTE87Mc2y3C/q2gnMLkwKUb5Cx0WNx5HnWLIse
 G6sa4cHzj3CtsS6H/YDJver69eEIfNac0HC98HKhKV4WrcY1JG0lfNnLJ8frf7pEQv+/KIOt
 C/QE742DO5p1fAvaKtuNxAzJP1I5iWc8zp9fe5cA7zc0wXgpNBDxGfs3ww2+VJkSTVbCKoen
 J8WEhqBnvPq8i2ogF3C7c45DulIb3CBYNtttIoLQ5D/1e7JSYUF9iIPxUdTjABEBAAHCwGUE
 GAECAA8CGwwFAlmWN64FCRDUwtIACgkQzBNI8eZECOwkiwf8DpOJmziCx2QauLK7olxOq1U2
 S81nD9UZfaycw7hQ6L+oCYPZuG/0v1losqfSBgAZSlY3f2SmTbg/uOJEepV6000SEcm+6shu
 LZ3qLNM+pQr2dX09Ch0lX9nrwIua3Lkbo6XEgN/h6wc0psr7GmmutAGzVG3dnBiRnXYqw4bR
 ab05xMBWY82GTUnGtKmVXAUJxkhUftWDR1uXUxeJnQToBw72XQ5nxGU3K6xOYhtY9+tMo0um
 kcN4sJf/I/Y/A8Gbc6+Ry7f16RtCTZ4+PnF/GaQ1ec9kpF6IV6nAFhOdrVnvEANmqcvGMx5c
 sutNKoih/YzfyhoLbkvUkgoAQIuZ6g==
Message-ID: <f7776a30-f164-3b78-5164-3df5d7d84718@HIDDEN>
Date: Mon, 14 May 2018 10:06:46 +0200
MIME-Version: 1.0
In-Reply-To: <87fu2vjj76.fsf@HIDDEN>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="fPIkjPkMy4SHVs0lDLSlMWAKPrNUG9XJ6"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.0 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--fPIkjPkMy4SHVs0lDLSlMWAKPrNUG9XJ6
Content-Type: multipart/mixed; boundary="Gf0pCbkAT8l4e6b3jXBsv5gzrZgAMbG7S";
 protected-headers="v1"
From: Martin Castillo <castilma@HIDDEN>
To: guix-patches@HIDDEN
Message-ID: <f7776a30-f164-3b78-5164-3df5d7d84718@HIDDEN>
Subject: Re: [bug#31444] 'guix health': a tool to report vulnerable packages
References: <87fu2vjj76.fsf@HIDDEN>
In-Reply-To: <87fu2vjj76.fsf@HIDDEN>

--Gf0pCbkAT8l4e6b3jXBsv5gzrZgAMbG7S
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable



On 14.05.2018 00:15, Ludovic Court=C3=A8s wrote:
> [...] shadow@HIDDEN is available and fixes CVE-2018-7169, consider ugpradi=
ng
                                                                  ^typo

> Should we satisfy ourselves with the current approach in the meantime?

Release early and often would say yes. But I'm not an experienced develop=
er.

I have the feeling that guix lint does not cache the CVEs it fetches. I
think it should.

--=20
GPG: 7FDE 7190 2F73 2C50 236E  403D CC13 48F1 E644 08EC


--Gf0pCbkAT8l4e6b3jXBsv5gzrZgAMbG7S--

--fPIkjPkMy4SHVs0lDLSlMWAKPrNUG9XJ6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE61CTslYA+K5btSvb61vedmKoYVkFAlr5Q5wACgkQ61vedmKo
YVnGJQf/V244szB3Ma415bDD+aMxnGPGJMgu2Rw0/73hC6LpdNFYIyPKGApc6E5P
1AXNHFTVoHIgnhRjMJrM1vPTcrheCUZkn7f4GAL2h0lRbqSm3PV8xGHgoZm4rbDS
YJhd2WdDaaNVSTVSfRFEx59QU+sQ0tIAelHyNveFmL5Pot/KkKicmCIkYCU76zPm
4zASmFd4RsRt6D9HZVGx6mZUc/8MaD3L4JudI2gcnrJMDL/f34/0Xn6nJx7mA/1R
nXl1eLb2zoSkBqQ1l0Ji7QRcWyDygRsQ7/nWGqjmX/GPe3//GcZ/ici0KDduiDi+
X8Jr8pGulBfAGw8ZLcSI5/7XrfNkZw==
=RZZm
-----END PGP SIGNATURE-----

--fPIkjPkMy4SHVs0lDLSlMWAKPrNUG9XJ6--




Information forwarded to guix-patches@HIDDEN:
bug#31444; Package guix-patches. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 13 May 2018 22:42:54 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun May 13 18:42:54 2018
Received: from localhost ([127.0.0.1]:32866 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fHzhe-0008Tb-CL
	for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:42:54 -0400
Received: from eggs.gnu.org ([208.118.235.92]:35704)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1fHzhc-0008TO-U9
 for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:42:53 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fHzhW-0004tf-S4
 for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:42:47 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:45059)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1fHzhW-0004tX-OW
 for submit <at> debbugs.gnu.org; Sun, 13 May 2018 18:42:46 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54897)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fHzhV-0004K4-D3
 for guix-patches@HIDDEN; Sun, 13 May 2018 18:42:46 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1fHzHL-0001s5-Hr
 for guix-patches@HIDDEN; Sun, 13 May 2018 18:15:44 -0400
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:52386)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@HIDDEN>)
 id 1fHzHL-0001s1-Ct
 for guix-patches@HIDDEN; Sun, 13 May 2018 18:15:43 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=50500 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1fHzHK-0003b1-Un
 for guix-patches@HIDDEN; Sun, 13 May 2018 18:15:43 -0400
From: ludo@HIDDEN (Ludovic =?utf-8?Q?Court=C3=A8s?=)
To: guix-patches@HIDDEN
Subject: 'guix health': a tool to report vulnerable packages
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 25 =?utf-8?Q?Flor=C3=A9al?= an 226 de la =?utf-8?Q?R?=
 =?utf-8?Q?=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 14 May 2018 00:15:41 +0200
Message-ID: <87fu2vjj76.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

Hello Guix!

On IRC davidl shared a shell script that checks the output of =E2=80=98guix=
 lint
-c cve=E2=80=99 and uses that to determine vulnerable packages in a profile.
That reminds me of the plan for =E2=80=98guix health=E2=80=99 (a tool to do=
 just that),
so I went ahead and tried to make it a reality at last.

This =E2=80=98guix health=E2=80=99 reports information about =E2=80=9Cleaf=
=E2=80=9D packages in a
profile, but not about their dependencies:

--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix health -p /run/current-system/profile/
guix health: warning: util-linux@HIDDEN may be vulnerable to CVE-2018-7738
guix health: warning: util-linux@HIDDEN is available but does not fix any o=
f these
hint: Run `guix pull' and then re-run `guix health' to see if fixes are ava=
ilable.  If
none are available, please consider submitting a patch for the package defi=
nition of
'util-linux'.


guix health: warning: shadow@HIDDEN may be vulnerable to CVE-2018-7169
guix health: warning: shadow@HIDDEN is available and fixes CVE-2018-7169, cons=
ider ugprading
guix health: warning: tar@HIDDEN may be vulnerable to CVE-2016-6321
guix health: warning: tar@HIDDEN is available but does not fix any of these
hint: Run `guix pull' and then re-run `guix health' to see if fixes are ava=
ilable.  If
none are available, please consider submitting a patch for the package defi=
nition of
'tar'.
--8<---------------cut here---------------end--------------->8---

The difficulty here is that we need to know a package=E2=80=99s CPE name be=
fore
we can check the CVE database, and we also need to know whether the
package already includes fixes for known CVEs.  This patch set attaches
this information to manifest entries, so that =E2=80=98guix health=E2=80=99=
 can then
rely on it.

Fundamentally, that means we cannot reliably tell much about
dependencies: in cases where the CPE name differs from the Guix name, we
won=E2=80=99t have any match, and more generally, we cannot know what CVE a=
re
patched in the package; we could infer part of this by looking at the
same-named package in the current Guix, but that=E2=80=99s hacky.

I think that longer-term we probably need to attach this kind of
meta-data to packages themselves, by adding a bunch of files in each
package, say under PREFIX/guix.  We could do that for search paths as
well.

Should we satisfy ourselves with the current approach in the meantime?
Thoughts?

Besides, support for properties in manifest entries seems useful to me,
so we may want to keep it regardless of whether we take =E2=80=98guix healt=
h=E2=80=99
as-is.

Ludo=E2=80=99.

Ludovic Court=C3=A8s (5):
  profiles: Add '%current-profile', 'user-friendly-profile', & co.
  packages: Add 'package-patched-vulnerabilities'.
  profiles: Add 'properties' field to manifest entries.
  profiles: Record fixed vulnerabilities as properties of entries.
  DRAFT Add 'guix health'.

 Makefile.am              |   1 +
 guix/packages.scm        |  28 +++++++
 guix/profiles.scm        |  91 ++++++++++++++++++++--
 guix/scripts/health.scm  | 158 +++++++++++++++++++++++++++++++++++++++
 guix/scripts/lint.scm    |  23 +-----
 guix/scripts/package.scm |  40 ----------
 po/guix/POTFILES.in      |   1 +
 tests/packages.scm       |  15 ++++
 tests/profiles.scm       |  22 ++++++
 9 files changed, 312 insertions(+), 67 deletions(-)
 create mode 100644 guix/scripts/health.scm

--=20
2.17.0




Acknowledgement sent to ludo@HIDDEN (Ludovic Courtès):
New bug report received and forwarded. Copy sent to guix-patches@HIDDEN. Full text available.
Report forwarded to guix-patches@HIDDEN:
bug#31444; Package guix-patches. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 14 May 2018 08:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.