GNU bug report logs - #47144
security patching of 'patch' package

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Mark H Weaver <mhw@HIDDEN>; Keywords: security; dated Sun, 14 Mar 2021 21:39:02 UTC; Maintainer for guix is bug-guix@HIDDEN.
Removed indication that bug 47144 blocks Request was from Leo Famulari <leo@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 47144 <at> debbugs.gnu.org:


Received: (at 47144) by debbugs.gnu.org; 14 Apr 2021 21:54:42 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Apr 14 17:54:42 2021
Received: from localhost ([127.0.0.1]:35963 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lWnT8-000293-Fw
	for submit <at> debbugs.gnu.org; Wed, 14 Apr 2021 17:54:42 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:41109)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1lWnT6-00028n-0R
 for 47144 <at> debbugs.gnu.org; Wed, 14 Apr 2021 17:54:41 -0400
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id 777C15C009E;
 Wed, 14 Apr 2021 17:54:34 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute3.internal (MEProxy); Wed, 14 Apr 2021 17:54:34 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=6f4axvg7upunPgsTJ1Ddy9PM
 rWm1KoqNYks/tTWjmZA=; b=O9gN0ex6+5NJza+gZcX32ZJwR3QmRmRoBfF71Y99
 NWB0uXDZ42+qE5jtzRdhtWJWPNNxKEgvyyO/UETM4l1b5LXLYyqpCWQQupQZ4VVh
 JlvJlEtnFurRt/zAtMLNoJZRcHDLzk/KKbqCqCn1YKGh5EUE/b714DjhqPI0FSCA
 bzw=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=6f4axv
 g7upunPgsTJ1Ddy9PMrWm1KoqNYks/tTWjmZA=; b=m1v9ttJQPDsD2dElU0bL3Z
 +I5cwlsFR3gS/+sERLqN3U0csgeEMLGQ6XMRV9JSpVseT4jbDwufxJayBD1JapLO
 IFAf1bsmorVwCo14rMerJf6l7915bqUaNh4PI6X691k0mEOTAORjM7gDmMqEniW1
 7cHtj9qDAwkuXUmmNLIsq5dzkAT0WKAU1By3IwpZMLu/SCnc/rKRGIKM69Ur8Mx5
 QjmGQkLepp3UNckYYrgSrZU/zgfybPZe773ieaA12uSF5RS20lNMjszpCAYihiFv
 +1t5jGcwlqZFHKVUWMIlwMOOoCpSDTRwsd6vClELOEeoUyXJZdoK5WIhzjaEx1UA
 ==
X-ME-Sender: <xms:mmR3YBE07usNUmTqky1yvKCEnYZRc4Qda1SU_TbeqCHxR5C73AAjtQ>
 <xme:mmR3YGWN1Xx35K8rx4oxZZ1_Ceq_BambLALDZEre4DaTezbSHUPLL4X4bPyjkTH-c
 pOkCi5-OJvRBA3isw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudelvddgtddvucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesthdtre
 dttddtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgr
 rhhirdhnrghmvgeqnecuggftrfgrthhtvghrnhepueekkedtffdvtddugeejgedtvefhue
 efiedvjeeitdeigedtveejvdejheffvefgnecukfhppedutddtrdduuddrudeiledruddu
 keenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvg
 hosehfrghmuhhlrghrihdrnhgrmhgv
X-ME-Proxy: <xmx:mmR3YDJKcup8Nf3jCj53wwClYEWDb7FxCgtVbqi8uyJuHQE9ItYgRw>
 <xmx:mmR3YHHvTYjgobOBdT5aTVdBz3IhHjPthTlNK9lEzXrilacULMxXYg>
 <xmx:mmR3YHU9vgQu-jukaVqjbBx68zJG44VDTsYLdnhSoLnLB_9IkRhvrg>
 <xmx:mmR3YOAntlShncIj6kRt8I-VnCxZ7wFl6tYwtQ44NkqGzhfFqXXjwQ>
Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118])
 by mail.messagingengine.com (Postfix) with ESMTPA id 1A7A01080057;
 Wed, 14 Apr 2021 17:54:34 -0400 (EDT)
Date: Wed, 14 Apr 2021 17:54:28 -0400
From: Leo Famulari <leo@HIDDEN>
To: Mark H Weaver <mhw@HIDDEN>
Subject: Re: bug#47144: security patching of 'patch' package
Message-ID: <YHdklP7565AtJ4uR@HIDDEN>
References: <6d01d537754ce50b10035903d8e7d205699c4b39.camel@HIDDEN>
 <877dm9s9fz.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <877dm9s9fz.fsf@HIDDEN>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 47144
Cc: 47144 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

On Sun, Mar 14, 2021 at 05:37:25PM -0400, Mark H Weaver wrote:
> patch@HIDDEN: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
> CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
> 2018-6952

I tried building a "fixed" package of patch, cherry-picking bug fix
patches from patch.git.

Unfortunately, the patches largely don't apply to the most recent
release of patch.

Since there is no release fixing these bugs, and no clear advice about
which patches to apply, I'm going to stop working on this for now.




Information forwarded to bug-guix@HIDDEN:
bug#47144; Package guix. Full text available.
Added indication that bug 47144 blocks47297 Request was from Leo Famulari <leo@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 47144 <at> debbugs.gnu.org:


Received: (at 47144) by debbugs.gnu.org; 18 Mar 2021 21:59:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Mar 18 17:59:09 2021
Received: from localhost ([127.0.0.1]:48245 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lN0fd-0002aj-2e
	for submit <at> debbugs.gnu.org; Thu, 18 Mar 2021 17:59:09 -0400
Received: from eggs.gnu.org ([209.51.188.92]:48966)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1lN0fc-0002aI-5N
 for 47144 <at> debbugs.gnu.org; Thu, 18 Mar 2021 17:59:08 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:37274)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>)
 id 1lN0fW-0002h6-8b; Thu, 18 Mar 2021 17:59:02 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56064 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1lN0fT-0003in-Dy; Thu, 18 Mar 2021 17:59:00 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: =?utf-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix
 <bug-guix@HIDDEN>
Subject: Re: bug#47144: [PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d
 [security fixes].
References: <20210315182605.25973-1-lle-bout@HIDDEN>
 <20210315182605.25973-2-lle-bout@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 28 =?utf-8?Q?Vent=C3=B4se?= an 229 de la =?utf-8?Q?R?=
 =?utf-8?Q?=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Thu, 18 Mar 2021 22:58:56 +0100
In-Reply-To: <20210315182605.25973-2-lle-bout@HIDDEN> (=?utf-8?Q?=22L?=
 =?utf-8?Q?=C3=A9o?= Le Bouter via
 Bug reports for GNU Guix"'s message of "Mon, 15 Mar 2021 19:26:05
 +0100")
Message-ID: <87lfakjf8f.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 47144
Cc: =?utf-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>, 47144 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

Hi,

L=C3=A9o Le Bouter via Bug reports for GNU Guix <bug-guix@HIDDEN> skribis:

> * gnu/packages/base.scm (patch/fixed): New variable.
> (patch)[replacement]: Graft.

It=E2=80=99s (almost) useless to provide a graft of =E2=80=98patch=E2=80=99=
 because patch is
usually a build-time only dependency.  (Maybe we can tell it=E2=80=99s not
vulnerable to the issues at hand because in that context it=E2=80=99s always
given controlled input: the package patches.)

What could be useful is to provide a second version of patch so that
people running =E2=80=98guix install patch=E2=80=99 or similar get the newe=
r version.

HTH,
Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#47144; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 18 Mar 2021 21:59:05 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Mar 18 17:59:05 2021
Received: from localhost ([127.0.0.1]:48242 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lN0fY-0002aR-Q0
	for submit <at> debbugs.gnu.org; Thu, 18 Mar 2021 17:59:05 -0400
Received: from lists.gnu.org ([209.51.188.17]:54790)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1lN0fX-0002aK-Cf
 for submit <at> debbugs.gnu.org; Thu, 18 Mar 2021 17:59:03 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:41964)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1lN0fX-0004eQ-3o
 for bug-guix@HIDDEN; Thu, 18 Mar 2021 17:59:03 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:37274)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>)
 id 1lN0fW-0002h6-8b; Thu, 18 Mar 2021 17:59:02 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56064 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1lN0fT-0003in-Dy; Thu, 18 Mar 2021 17:59:00 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: =?utf-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix
 <bug-guix@HIDDEN>
Subject: Re: bug#47144: [PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d
 [security fixes].
References: <20210315182605.25973-1-lle-bout@HIDDEN>
 <20210315182605.25973-2-lle-bout@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 28 =?utf-8?Q?Vent=C3=B4se?= an 229 de la =?utf-8?Q?R?=
 =?utf-8?Q?=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Thu, 18 Mar 2021 22:58:56 +0100
In-Reply-To: <20210315182605.25973-2-lle-bout@HIDDEN> (=?utf-8?Q?=22L?=
 =?utf-8?Q?=C3=A9o?= Le Bouter via
 Bug reports for GNU Guix"'s message of "Mon, 15 Mar 2021 19:26:05
 +0100")
Message-ID: <87lfakjf8f.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
Cc: =?utf-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>, 47144 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

L=C3=A9o Le Bouter via Bug reports for GNU Guix <bug-guix@HIDDEN> skribis:

> * gnu/packages/base.scm (patch/fixed): New variable.
> (patch)[replacement]: Graft.

It=E2=80=99s (almost) useless to provide a graft of =E2=80=98patch=E2=80=99=
 because patch is
usually a build-time only dependency.  (Maybe we can tell it=E2=80=99s not
vulnerable to the issues at hand because in that context it=E2=80=99s always
given controlled input: the package patches.)

What could be useful is to provide a second version of patch so that
people running =E2=80=98guix install patch=E2=80=99 or similar get the newe=
r version.

HTH,
Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#47144; Package guix. Full text available.

Message received at 47144 <at> debbugs.gnu.org:


Received: (at 47144) by debbugs.gnu.org; 15 Mar 2021 18:26:18 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Mar 15 14:26:18 2021
Received: from localhost ([127.0.0.1]:37075 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lLrv0-0005Mc-2l
	for submit <at> debbugs.gnu.org; Mon, 15 Mar 2021 14:26:18 -0400
Received: from mail.zaclys.net ([178.33.93.72]:42759)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lLruy-0005MJ-8u
 for 47144 <at> debbugs.gnu.org; Mon, 15 Mar 2021 14:26:16 -0400
Received: from localhost.localdomain (82-64-145-38.subs.proxad.net
 [82.64.145.38]) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12FIQ9uQ017842
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
 Mon, 15 Mar 2021 19:26:10 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12FIQ9uQ017842
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1615832770;
 bh=QOj4BRk+AUscpF6wkwcItIWRc1DvhgcWiycVrsvjFbU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
 b=btERzpNO+RejlLr9L+6LDF6ta2SobDhLoilOfaBxVAvql5R1Ow7jXRWvbyhMRREP4
 Z/NHz9RTvii7HO6keHPsm1mFl7PE7b2SvQ6evYxv7Dq24itQDpP0tDbvQOZVj6RB1Y
 ZDOSvsUdsth8/UvoYtaAbmmmJQeyrf4u60O1kCLM=
From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@HIDDEN>
To: 47144 <at> debbugs.gnu.org
Subject: [PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].
Date: Mon, 15 Mar 2021 19:26:05 +0100
Message-Id: <20210315182605.25973-2-lle-bout@HIDDEN>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210315182605.25973-1-lle-bout@HIDDEN>
References: <20210315182605.25973-1-lle-bout@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47144
Cc: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* gnu/packages/base.scm (patch/fixed): New variable.
(patch)[replacement]: Graft.
---
 gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 9aa69cfe77..a71b47ac4f 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -46,12 +46,14 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages linux)
+  #:use-module (gnu packages autotools)
   #:use-module (gnu packages pcre)
   #:use-module (gnu packages texinfo)
   #:use-module (gnu packages hurd)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
+  #:use-module (gnu packages version-control)
   #:use-module (guix i18n)
   #:use-module (guix utils)
   #:use-module (guix packages)
@@ -228,6 +230,7 @@ standard utility.")
                (base32
                 "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
               (patches (search-patches "patch-hurd-path-max.patch"))))
+   (replacement patch/fixed)
    (build-system gnu-build-system)
    (arguments
     ;; Work around a cross-compilation bug whereby libpatch.a would provide
@@ -246,6 +249,42 @@ differences.")
    (license gpl3+)
    (home-page "https://savannah.gnu.org/projects/patch/")))
 
+(define patch/fixed
+  (let ((commit "7623b2dc0d1837ecfd58f32efc78e35834deeb38"))
+    (package/inherit patch
+      (name "patch")
+      (version "2.7.6")
+      ;; (version (string-append "2.7.6-" (string-take commit 7)))
+      (source
+       (origin
+         (method git-fetch)
+         (uri (git-reference
+               (url "https://git.savannah.gnu.org/git/patch.git")
+               (commit commit)
+               (recursive? #t)))
+         (file-name (git-file-name name version))
+         (sha256
+          (base32
+           "0k3i95gkbi21lipadlg1zd03d928b65x322q08xgdg461vnw2i6h"))
+         (patches (search-patches "patch-hurd-path-max.patch"))))
+      (arguments
+       (substitute-keyword-arguments (package-arguments patch)
+         ((#:phases phases '%standard-phases)
+           `(modify-phases ,phases
+             (replace 'bootstrap
+               (lambda* (#:key inputs #:allow-other-keys)
+                 (substitute* (list "gnulib/gnulib-tool"
+                                    "gnulib/build-aux/git-version-gen")
+                   (("/bin/sh") (which "sh")))
+                 (invoke "bash" "bootstrap" "--no-git"
+                         "--gnulib-srcdir=gnulib")
+                 #t))))))
+      (native-inputs
+       `(("autoconf" ,autoconf)
+         ("automake" ,automake)
+         ("git" ,git-minimal)
+         ,@(package-native-inputs patch))))))
+
 (define-public diffutils
   (package
    (name "diffutils")
-- 
2.30.2





Information forwarded to bug-guix@HIDDEN:
bug#47144; Package guix. Full text available.

Message received at 47144 <at> debbugs.gnu.org:


Received: (at 47144) by debbugs.gnu.org; 15 Mar 2021 18:26:18 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Mar 15 14:26:18 2021
Received: from localhost ([127.0.0.1]:37073 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lLruz-0005Ma-SK
	for submit <at> debbugs.gnu.org; Mon, 15 Mar 2021 14:26:18 -0400
Received: from mail.zaclys.net ([178.33.93.72]:34011)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lLrux-0005MH-Jz
 for 47144 <at> debbugs.gnu.org; Mon, 15 Mar 2021 14:26:16 -0400
Received: from localhost.localdomain (82-64-145-38.subs.proxad.net
 [82.64.145.38]) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12FIQ9uP017842
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
 Mon, 15 Mar 2021 19:26:09 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12FIQ9uP017842
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1615832769;
 bh=HcHkofLUZrmqY5CXOL5IV/gAUnyOzi8trgG+S8w2yUA=;
 h=From:To:Cc:Subject:Date:From;
 b=Vd47DqdgMcwFzNL0ce6q2wNE6rl5lFkffDcb/ZuHFzjWO4ED/OLeo+nNKTTm2+KRH
 /1yiJ2UWMmPFfDXoavEQEmbGo+ssqvn+KO77FDOaNZM1vqXMUElze3x1rWCPYCtWFQ
 8P0DdxjYZE9APJJMcGTZyb7b9LsxPly9Va4xlHWg=
From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@HIDDEN>
To: 47144 <at> debbugs.gnu.org
Subject: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].
Date: Mon, 15 Mar 2021 19:26:04 +0100
Message-Id: <20210315182605.25973-1-lle-bout@HIDDEN>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47144
Cc: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

I tried something, using patch git repo's master instead of release tarballs, I
am not sure the git repo contains all the fixes, we could alternatively just
pull patches from Debian.

This attempt does not work yet however, it fails on some gnulib source file not
being found for some reason:

gcc: error: parse-datetime.c: No such file or directory
gcc: fatal error: no input files
compilation terminated.

This file seems to be generated by YACC from earlier log.

Léo Le Bouter (1):
  gnu: patch: Update to 2.7.6-7623b2d [security fixes].

 gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

-- 
2.30.2





Information forwarded to bug-guix@HIDDEN:
bug#47144; Package guix. Full text available.
Added tag(s) security. Request was from Ludovic Courtès <ludo@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 14 Mar 2021 21:39:01 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Mar 14 17:39:01 2021
Received: from localhost ([127.0.0.1]:34341 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lLYRx-00032M-Bf
	for submit <at> debbugs.gnu.org; Sun, 14 Mar 2021 17:39:01 -0400
Received: from lists.gnu.org ([209.51.188.17]:35168)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@HIDDEN>) id 1lLYRv-00032F-Ty
 for submit <at> debbugs.gnu.org; Sun, 14 Mar 2021 17:39:00 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:55932)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mhw@HIDDEN>) id 1lLYRv-0003hB-LP
 for bug-guix@HIDDEN; Sun, 14 Mar 2021 17:38:59 -0400
Received: from world.peace.net ([64.112.178.59]:55722)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mhw@HIDDEN>) id 1lLYRs-0004M3-QH
 for bug-guix@HIDDEN; Sun, 14 Mar 2021 17:38:59 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@HIDDEN>)
 id 1lLYRr-0001IX-1C; Sun, 14 Mar 2021 17:38:55 -0400
From: Mark H Weaver <mhw@HIDDEN>
To: bug-guix@HIDDEN
Subject: security patching of 'patch' package
References: <6d01d537754ce50b10035903d8e7d205699c4b39.camel@HIDDEN>
Date: Sun, 14 Mar 2021 17:37:25 -0400
Message-ID: <877dm9s9fz.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@HIDDEN;
 helo=world.peace.net
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: =?utf-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

I'm forwarding this to bug-guix@HIDDEN so that it won't be forgotten.

       Mark

-------------------- Start of forwarded message --------------------
Subject: security patching of 'patch' package
From: L=C3=A9o Le Bouter <lle-bout@HIDDEN>
To: guix-devel@HIDDEN
Date: Wed, 10 Mar 2021 04:14:35 +0100


--=-=-=
Content-Type: multipart/signed; boundary="==-=-="

--==-=-=
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello!

I could find that the 'patch' package was vulnerable to numerous CVEs
that other distros like Debian have patched. Here's the list reported
by 'guix lint -c cve patch':

patch@HIDDEN: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
2018-6952

Can I use latest commit from master to build 'patch' then graft
original package?

i.e. https://git.savannah.gnu.org/git/patch.git

There's not that many commits since last release, but lots of time:=20
https://git.savannah.gnu.org/cgit/patch.git/log/

Thank you,
L=C3=A9o

--==-=-=
Content-Type: application/pgp-signature; name=signature.asc
Content-Transfer-Encoding: base64
Content-Description: This is a digitally signed message part

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUVGSXZMaTlnTCt4
YXgzZzZSUmFpeDZHdk5FS1lGQW1CSU9ac0FDZ2tRUmFpeDZHdk4KRUtZVktoQUFtUWJTMHE2eGdt
b0M1RW8rVDRxWWlMcmc2RWZVTWljWU85STFMQkRGR2ZwODVYSU1qcUF0SWtpRAoyQjFYSkx6WFk3
eFpoZWlLQllManBwdXE1WEhYR01RODBKWmkwbFFFdW9NaDArMURUY3Z2STBVZ3R5ZGp4dmFzCkM5
RFRsaE5URnhtMzY4VzdxeFlSMkp0dHNVc3R5d2VWejI3RFBZOU82MlFSVW55SFJzSnZRWExTSS9D
SFdYRkkKM0RpWHpqakJYb3dzQ3U5YWY2OWZJekJDQlE2QjBRdmtucnlIbml4MUFlVm5TZnUvMFNN
N0JpbXk1QUtPbmprTgpjam5IUXI1TWMrRklWZE91L3B6Z05vVm13Y3pWaHl1L0E4blJlWUlpZVBH
VE1hK0NwdUVyL1ZyZXhxYzNucGNYCmpZem80UCtkL1BSZEFMR2dkT2xHTURkbEFyM1pWSGhTOVA1
YWdRZTlRM1llSlZWU1p6d0g2VHpGVCswS3JFTnkKMkhvTSt6S05CRThxVkxNdURIOUFhWjdYclp5
SkpEb211RG05MjdvamFTblMwc3EwbmJ6ekxXa1NOR25MK2hYago1TkZDbS9RQ2xHeVNjOURNdVpX
Yzc2bnhuMDJCVHlraUtYQzAzUC9HZk1KM0I5N0xldjUxaDVvRWk0VGxLc1JoCmpsTXdKQmFZcDho
NkZQNkVESkxjOGFoYUlLTjhhb29xdXV0Rk9VWG4rSUdCbVlZMXVYVE8wVjBVSnFWejEzMUoKR2Rt
SDRTblZxV3RDYmlLQ1ZMU2d1QXRoUzZFd1NxMEVBekVhZVVWbWkxOFlBKytnT3A2TitGUVNtanBS
a1J3WApqVnd0VG16WW9ML3lLeDI4Q29QYXBGSzdwYTNla0IwVzQzbnc0L0ViNjhxcGJ2bHBYeEk9
Cj1jRVNQCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=
--==-=-=--

--=-=-=
Content-Type: text/plain

-------------------- End of forwarded message --------------------

--=-=-=--




Acknowledgement sent to Mark H Weaver <mhw@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#47144; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Wed, 14 Apr 2021 22:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.