Leo Famulari <leo@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Received: (at 47144) by debbugs.gnu.org; 14 Apr 2021 21:54:42 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Apr 14 17:54:42 2021 Received: from localhost ([127.0.0.1]:35963 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lWnT8-000293-Fw for submit <at> debbugs.gnu.org; Wed, 14 Apr 2021 17:54:42 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:41109) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <leo@HIDDEN>) id 1lWnT6-00028n-0R for 47144 <at> debbugs.gnu.org; Wed, 14 Apr 2021 17:54:41 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 777C15C009E; Wed, 14 Apr 2021 17:54:34 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Wed, 14 Apr 2021 17:54:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=6f4axvg7upunPgsTJ1Ddy9PM rWm1KoqNYks/tTWjmZA=; b=O9gN0ex6+5NJza+gZcX32ZJwR3QmRmRoBfF71Y99 NWB0uXDZ42+qE5jtzRdhtWJWPNNxKEgvyyO/UETM4l1b5LXLYyqpCWQQupQZ4VVh JlvJlEtnFurRt/zAtMLNoJZRcHDLzk/KKbqCqCn1YKGh5EUE/b714DjhqPI0FSCA bzw= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=6f4axv g7upunPgsTJ1Ddy9PMrWm1KoqNYks/tTWjmZA=; b=m1v9ttJQPDsD2dElU0bL3Z +I5cwlsFR3gS/+sERLqN3U0csgeEMLGQ6XMRV9JSpVseT4jbDwufxJayBD1JapLO IFAf1bsmorVwCo14rMerJf6l7915bqUaNh4PI6X691k0mEOTAORjM7gDmMqEniW1 7cHtj9qDAwkuXUmmNLIsq5dzkAT0WKAU1By3IwpZMLu/SCnc/rKRGIKM69Ur8Mx5 QjmGQkLepp3UNckYYrgSrZU/zgfybPZe773ieaA12uSF5RS20lNMjszpCAYihiFv +1t5jGcwlqZFHKVUWMIlwMOOoCpSDTRwsd6vClELOEeoUyXJZdoK5WIhzjaEx1UA == X-ME-Sender: <xms:mmR3YBE07usNUmTqky1yvKCEnYZRc4Qda1SU_TbeqCHxR5C73AAjtQ> <xme:mmR3YGWN1Xx35K8rx4oxZZ1_Ceq_BambLALDZEre4DaTezbSHUPLL4X4bPyjkTH-c pOkCi5-OJvRBA3isw> X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudelvddgtddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesthdtre dttddtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgr rhhirdhnrghmvgeqnecuggftrfgrthhtvghrnhepueekkedtffdvtddugeejgedtvefhue efiedvjeeitdeigedtveejvdejheffvefgnecukfhppedutddtrdduuddrudeiledruddu keenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvg hosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: <xmx:mmR3YDJKcup8Nf3jCj53wwClYEWDb7FxCgtVbqi8uyJuHQE9ItYgRw> <xmx:mmR3YHHvTYjgobOBdT5aTVdBz3IhHjPthTlNK9lEzXrilacULMxXYg> <xmx:mmR3YHU9vgQu-jukaVqjbBx68zJG44VDTsYLdnhSoLnLB_9IkRhvrg> <xmx:mmR3YOAntlShncIj6kRt8I-VnCxZ7wFl6tYwtQ44NkqGzhfFqXXjwQ> Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 1A7A01080057; Wed, 14 Apr 2021 17:54:34 -0400 (EDT) Date: Wed, 14 Apr 2021 17:54:28 -0400 From: Leo Famulari <leo@HIDDEN> To: Mark H Weaver <mhw@HIDDEN> Subject: Re: bug#47144: security patching of 'patch' package Message-ID: <YHdklP7565AtJ4uR@HIDDEN> References: <6d01d537754ce50b10035903d8e7d205699c4b39.camel@HIDDEN> <877dm9s9fz.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <877dm9s9fz.fsf@HIDDEN> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47144 Cc: 47144 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) On Sun, Mar 14, 2021 at 05:37:25PM -0400, Mark H Weaver wrote: > patch@HIDDEN: probably vulnerable to CVE-2019-13636, CVE-2019-13638, > CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE- > 2018-6952 I tried building a "fixed" package of patch, cherry-picking bug fix patches from patch.git. Unfortunately, the patches largely don't apply to the most recent release of patch. Since there is no release fixing these bugs, and no clear advice about which patches to apply, I'm going to stop working on this for now.
bug-guix@HIDDEN:bug#47144; Package guix.
Full text available.Leo Famulari <leo@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Received: (at 47144) by debbugs.gnu.org; 18 Mar 2021 21:59:09 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Mar 18 17:59:09 2021 Received: from localhost ([127.0.0.1]:48245 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lN0fd-0002aj-2e for submit <at> debbugs.gnu.org; Thu, 18 Mar 2021 17:59:09 -0400 Received: from eggs.gnu.org ([209.51.188.92]:48966) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1lN0fc-0002aI-5N for 47144 <at> debbugs.gnu.org; Thu, 18 Mar 2021 17:59:08 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:37274) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1lN0fW-0002h6-8b; Thu, 18 Mar 2021 17:59:02 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56064 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1lN0fT-0003in-Dy; Thu, 18 Mar 2021 17:59:00 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: =?utf-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix <bug-guix@HIDDEN> Subject: Re: bug#47144: [PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes]. References: <20210315182605.25973-1-lle-bout@HIDDEN> <20210315182605.25973-2-lle-bout@HIDDEN> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 28 =?utf-8?Q?Vent=C3=B4se?= an 229 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 18 Mar 2021 22:58:56 +0100 In-Reply-To: <20210315182605.25973-2-lle-bout@HIDDEN> (=?utf-8?Q?=22L?= =?utf-8?Q?=C3=A9o?= Le Bouter via Bug reports for GNU Guix"'s message of "Mon, 15 Mar 2021 19:26:05 +0100") Message-ID: <87lfakjf8f.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47144 Cc: =?utf-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>, 47144 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) Hi, L=C3=A9o Le Bouter via Bug reports for GNU Guix <bug-guix@HIDDEN> skribis: > * gnu/packages/base.scm (patch/fixed): New variable. > (patch)[replacement]: Graft. It=E2=80=99s (almost) useless to provide a graft of =E2=80=98patch=E2=80=99= because patch is usually a build-time only dependency. (Maybe we can tell it=E2=80=99s not vulnerable to the issues at hand because in that context it=E2=80=99s always given controlled input: the package patches.) What could be useful is to provide a second version of patch so that people running =E2=80=98guix install patch=E2=80=99 or similar get the newe= r version. HTH, Ludo=E2=80=99.
bug-guix@HIDDEN:bug#47144; Package guix.
Full text available.Received: (at submit) by debbugs.gnu.org; 18 Mar 2021 21:59:05 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Mar 18 17:59:05 2021 Received: from localhost ([127.0.0.1]:48242 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lN0fY-0002aR-Q0 for submit <at> debbugs.gnu.org; Thu, 18 Mar 2021 17:59:05 -0400 Received: from lists.gnu.org ([209.51.188.17]:54790) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1lN0fX-0002aK-Cf for submit <at> debbugs.gnu.org; Thu, 18 Mar 2021 17:59:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41964) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1lN0fX-0004eQ-3o for bug-guix@HIDDEN; Thu, 18 Mar 2021 17:59:03 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:37274) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1lN0fW-0002h6-8b; Thu, 18 Mar 2021 17:59:02 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56064 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1lN0fT-0003in-Dy; Thu, 18 Mar 2021 17:59:00 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: =?utf-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix <bug-guix@HIDDEN> Subject: Re: bug#47144: [PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes]. References: <20210315182605.25973-1-lle-bout@HIDDEN> <20210315182605.25973-2-lle-bout@HIDDEN> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 28 =?utf-8?Q?Vent=C3=B4se?= an 229 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 18 Mar 2021 22:58:56 +0100 In-Reply-To: <20210315182605.25973-2-lle-bout@HIDDEN> (=?utf-8?Q?=22L?= =?utf-8?Q?=C3=A9o?= Le Bouter via Bug reports for GNU Guix"'s message of "Mon, 15 Mar 2021 19:26:05 +0100") Message-ID: <87lfakjf8f.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit Cc: =?utf-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>, 47144 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi, L=C3=A9o Le Bouter via Bug reports for GNU Guix <bug-guix@HIDDEN> skribis: > * gnu/packages/base.scm (patch/fixed): New variable. > (patch)[replacement]: Graft. It=E2=80=99s (almost) useless to provide a graft of =E2=80=98patch=E2=80=99= because patch is usually a build-time only dependency. (Maybe we can tell it=E2=80=99s not vulnerable to the issues at hand because in that context it=E2=80=99s always given controlled input: the package patches.) What could be useful is to provide a second version of patch so that people running =E2=80=98guix install patch=E2=80=99 or similar get the newe= r version. HTH, Ludo=E2=80=99.
bug-guix@HIDDEN:bug#47144; Package guix.
Full text available.
Received: (at 47144) by debbugs.gnu.org; 15 Mar 2021 18:26:18 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Mar 15 14:26:18 2021
Received: from localhost ([127.0.0.1]:37075 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1lLrv0-0005Mc-2l
for submit <at> debbugs.gnu.org; Mon, 15 Mar 2021 14:26:18 -0400
Received: from mail.zaclys.net ([178.33.93.72]:42759)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <lle-bout@HIDDEN>) id 1lLruy-0005MJ-8u
for 47144 <at> debbugs.gnu.org; Mon, 15 Mar 2021 14:26:16 -0400
Received: from localhost.localdomain (82-64-145-38.subs.proxad.net
[82.64.145.38]) (authenticated bits=0)
by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12FIQ9uQ017842
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
Mon, 15 Mar 2021 19:26:10 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12FIQ9uQ017842
Authentication-Results: mail.zaclys.net;
dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
s=default; t=1615832770;
bh=QOj4BRk+AUscpF6wkwcItIWRc1DvhgcWiycVrsvjFbU=;
h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
b=btERzpNO+RejlLr9L+6LDF6ta2SobDhLoilOfaBxVAvql5R1Ow7jXRWvbyhMRREP4
Z/NHz9RTvii7HO6keHPsm1mFl7PE7b2SvQ6evYxv7Dq24itQDpP0tDbvQOZVj6RB1Y
ZDOSvsUdsth8/UvoYtaAbmmmJQeyrf4u60O1kCLM=
From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@HIDDEN>
To: 47144 <at> debbugs.gnu.org
Subject: [PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].
Date: Mon, 15 Mar 2021 19:26:05 +0100
Message-Id: <20210315182605.25973-2-lle-bout@HIDDEN>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210315182605.25973-1-lle-bout@HIDDEN>
References: <20210315182605.25973-1-lle-bout@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47144
Cc: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
* gnu/packages/base.scm (patch/fixed): New variable.
(patch)[replacement]: Graft.
---
gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 9aa69cfe77..a71b47ac4f 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -46,12 +46,14 @@
#:use-module (gnu packages compression)
#:use-module (gnu packages perl)
#:use-module (gnu packages linux)
+ #:use-module (gnu packages autotools)
#:use-module (gnu packages pcre)
#:use-module (gnu packages texinfo)
#:use-module (gnu packages hurd)
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages python)
#:use-module (gnu packages gettext)
+ #:use-module (gnu packages version-control)
#:use-module (guix i18n)
#:use-module (guix utils)
#:use-module (guix packages)
@@ -228,6 +230,7 @@ standard utility.")
(base32
"1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
(patches (search-patches "patch-hurd-path-max.patch"))))
+ (replacement patch/fixed)
(build-system gnu-build-system)
(arguments
;; Work around a cross-compilation bug whereby libpatch.a would provide
@@ -246,6 +249,42 @@ differences.")
(license gpl3+)
(home-page "https://savannah.gnu.org/projects/patch/")))
+(define patch/fixed
+ (let ((commit "7623b2dc0d1837ecfd58f32efc78e35834deeb38"))
+ (package/inherit patch
+ (name "patch")
+ (version "2.7.6")
+ ;; (version (string-append "2.7.6-" (string-take commit 7)))
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://git.savannah.gnu.org/git/patch.git")
+ (commit commit)
+ (recursive? #t)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "0k3i95gkbi21lipadlg1zd03d928b65x322q08xgdg461vnw2i6h"))
+ (patches (search-patches "patch-hurd-path-max.patch"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments patch)
+ ((#:phases phases '%standard-phases)
+ `(modify-phases ,phases
+ (replace 'bootstrap
+ (lambda* (#:key inputs #:allow-other-keys)
+ (substitute* (list "gnulib/gnulib-tool"
+ "gnulib/build-aux/git-version-gen")
+ (("/bin/sh") (which "sh")))
+ (invoke "bash" "bootstrap" "--no-git"
+ "--gnulib-srcdir=gnulib")
+ #t))))))
+ (native-inputs
+ `(("autoconf" ,autoconf)
+ ("automake" ,automake)
+ ("git" ,git-minimal)
+ ,@(package-native-inputs patch))))))
+
(define-public diffutils
(package
(name "diffutils")
--
2.30.2
bug-guix@HIDDEN:bug#47144; Package guix.
Full text available.Received: (at 47144) by debbugs.gnu.org; 15 Mar 2021 18:26:18 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Mar 15 14:26:18 2021 Received: from localhost ([127.0.0.1]:37073 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lLruz-0005Ma-SK for submit <at> debbugs.gnu.org; Mon, 15 Mar 2021 14:26:18 -0400 Received: from mail.zaclys.net ([178.33.93.72]:34011) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lle-bout@HIDDEN>) id 1lLrux-0005MH-Jz for 47144 <at> debbugs.gnu.org; Mon, 15 Mar 2021 14:26:16 -0400 Received: from localhost.localdomain (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12FIQ9uP017842 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 15 Mar 2021 19:26:09 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12FIQ9uP017842 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@HIDDEN DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1615832769; bh=HcHkofLUZrmqY5CXOL5IV/gAUnyOzi8trgG+S8w2yUA=; h=From:To:Cc:Subject:Date:From; b=Vd47DqdgMcwFzNL0ce6q2wNE6rl5lFkffDcb/ZuHFzjWO4ED/OLeo+nNKTTm2+KRH /1yiJ2UWMmPFfDXoavEQEmbGo+ssqvn+KO77FDOaNZM1vqXMUElze3x1rWCPYCtWFQ 8P0DdxjYZE9APJJMcGTZyb7b9LsxPly9Va4xlHWg= From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@HIDDEN> To: 47144 <at> debbugs.gnu.org Subject: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes]. Date: Mon, 15 Mar 2021 19:26:04 +0100 Message-Id: <20210315182605.25973-1-lle-bout@HIDDEN> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47144 Cc: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) I tried something, using patch git repo's master instead of release tarballs, I am not sure the git repo contains all the fixes, we could alternatively just pull patches from Debian. This attempt does not work yet however, it fails on some gnulib source file not being found for some reason: gcc: error: parse-datetime.c: No such file or directory gcc: fatal error: no input files compilation terminated. This file seems to be generated by YACC from earlier log. Léo Le Bouter (1): gnu: patch: Update to 2.7.6-7623b2d [security fixes]. gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) -- 2.30.2
bug-guix@HIDDEN:bug#47144; Package guix.
Full text available.Ludovic Courtès <ludo@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.
Received: (at submit) by debbugs.gnu.org; 14 Mar 2021 21:39:01 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Mar 14 17:39:01 2021
Received: from localhost ([127.0.0.1]:34341 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1lLYRx-00032M-Bf
for submit <at> debbugs.gnu.org; Sun, 14 Mar 2021 17:39:01 -0400
Received: from lists.gnu.org ([209.51.188.17]:35168)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <mhw@HIDDEN>) id 1lLYRv-00032F-Ty
for submit <at> debbugs.gnu.org; Sun, 14 Mar 2021 17:39:00 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:55932)
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <mhw@HIDDEN>) id 1lLYRv-0003hB-LP
for bug-guix@HIDDEN; Sun, 14 Mar 2021 17:38:59 -0400
Received: from world.peace.net ([64.112.178.59]:55722)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <mhw@HIDDEN>) id 1lLYRs-0004M3-QH
for bug-guix@HIDDEN; Sun, 14 Mar 2021 17:38:59 -0400
Received: from mhw by world.peace.net with esmtpsa
(TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
(envelope-from <mhw@HIDDEN>)
id 1lLYRr-0001IX-1C; Sun, 14 Mar 2021 17:38:55 -0400
From: Mark H Weaver <mhw@HIDDEN>
To: bug-guix@HIDDEN
Subject: security patching of 'patch' package
References: <6d01d537754ce50b10035903d8e7d205699c4b39.camel@HIDDEN>
Date: Sun, 14 Mar 2021 17:37:25 -0400
Message-ID: <877dm9s9fz.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@HIDDEN;
helo=world.peace.net
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: =?utf-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)
--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
I'm forwarding this to bug-guix@HIDDEN so that it won't be forgotten.
Mark
-------------------- Start of forwarded message --------------------
Subject: security patching of 'patch' package
From: L=C3=A9o Le Bouter <lle-bout@HIDDEN>
To: guix-devel@HIDDEN
Date: Wed, 10 Mar 2021 04:14:35 +0100
--=-=-=
Content-Type: multipart/signed; boundary="==-=-="
--==-=-=
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello!
I could find that the 'patch' package was vulnerable to numerous CVEs
that other distros like Debian have patched. Here's the list reported
by 'guix lint -c cve patch':
patch@HIDDEN: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
2018-6952
Can I use latest commit from master to build 'patch' then graft
original package?
i.e. https://git.savannah.gnu.org/git/patch.git
There's not that many commits since last release, but lots of time:=20
https://git.savannah.gnu.org/cgit/patch.git/log/
Thank you,
L=C3=A9o
--==-=-=
Content-Type: application/pgp-signature; name=signature.asc
Content-Transfer-Encoding: base64
Content-Description: This is a digitally signed message part
LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUVGSXZMaTlnTCt4
YXgzZzZSUmFpeDZHdk5FS1lGQW1CSU9ac0FDZ2tRUmFpeDZHdk4KRUtZVktoQUFtUWJTMHE2eGdt
b0M1RW8rVDRxWWlMcmc2RWZVTWljWU85STFMQkRGR2ZwODVYSU1qcUF0SWtpRAoyQjFYSkx6WFk3
eFpoZWlLQllManBwdXE1WEhYR01RODBKWmkwbFFFdW9NaDArMURUY3Z2STBVZ3R5ZGp4dmFzCkM5
RFRsaE5URnhtMzY4VzdxeFlSMkp0dHNVc3R5d2VWejI3RFBZOU82MlFSVW55SFJzSnZRWExTSS9D
SFdYRkkKM0RpWHpqakJYb3dzQ3U5YWY2OWZJekJDQlE2QjBRdmtucnlIbml4MUFlVm5TZnUvMFNN
N0JpbXk1QUtPbmprTgpjam5IUXI1TWMrRklWZE91L3B6Z05vVm13Y3pWaHl1L0E4blJlWUlpZVBH
VE1hK0NwdUVyL1ZyZXhxYzNucGNYCmpZem80UCtkL1BSZEFMR2dkT2xHTURkbEFyM1pWSGhTOVA1
YWdRZTlRM1llSlZWU1p6d0g2VHpGVCswS3JFTnkKMkhvTSt6S05CRThxVkxNdURIOUFhWjdYclp5
SkpEb211RG05MjdvamFTblMwc3EwbmJ6ekxXa1NOR25MK2hYago1TkZDbS9RQ2xHeVNjOURNdVpX
Yzc2bnhuMDJCVHlraUtYQzAzUC9HZk1KM0I5N0xldjUxaDVvRWk0VGxLc1JoCmpsTXdKQmFZcDho
NkZQNkVESkxjOGFoYUlLTjhhb29xdXV0Rk9VWG4rSUdCbVlZMXVYVE8wVjBVSnFWejEzMUoKR2Rt
SDRTblZxV3RDYmlLQ1ZMU2d1QXRoUzZFd1NxMEVBekVhZVVWbWkxOFlBKytnT3A2TitGUVNtanBS
a1J3WApqVnd0VG16WW9ML3lLeDI4Q29QYXBGSzdwYTNla0IwVzQzbnc0L0ViNjhxcGJ2bHBYeEk9
Cj1jRVNQCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=
--==-=-=--
--=-=-=
Content-Type: text/plain
-------------------- End of forwarded message --------------------
--=-=-=--
Mark H Weaver <mhw@HIDDEN>:bug-guix@HIDDEN.
Full text available.bug-guix@HIDDEN:bug#47144; Package guix.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.