GNU bug report logs - #47941
guix lint -c cve stacktrace

Previous Next

Package: guix;

Reported by: Jack Hill <jackhill <at> jackhill.us>

Date: Wed, 21 Apr 2021 20:31:01 UTC

Severity: normal

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47941 in the body.
You can then email your comments to 47941 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#47941; Package guix. (Wed, 21 Apr 2021 20:31:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Jack Hill <jackhill <at> jackhill.us>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Wed, 21 Apr 2021 20:31:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jack Hill <jackhill <at> jackhill.us>
To: bug-guix <at> gnu.org
Subject: guix lint -c cve stacktrace
Date: Wed, 21 Apr 2021 16:29:58 -0400 (EDT)

[Message part 1 (text/plain, inline)]
Hi Guix,

Using guix ae5128e21eb7afa66bd7cfd7fd1bc5764d00663e, the cve lint check 
fails when fetching the CVE database as follows:

$ guix lint -c cve hello
fetching CVE database for 2021...
Backtrace:
          15 (primitive-load "/home/jackhill/.config/guix/current/bi…")
In guix/ui.scm:
  2164:12 14 (run-guix-command _ . _)
In ice-9/boot-9.scm:
  1736:10 13 (with-exception-handler _ _ #:unwind? _ # _)
  1731:15 12 (with-exception-handler #<procedure 7f895ab7d000 at ic…> …)
In srfi/srfi-1.scm:
    634:9 11 (for-each #<procedure 7f895ab84d80 at guix/scripts/lin…> …)
In guix/scripts/lint.scm:
     65:4 10 (run-checkers _ _ #:store _)
In srfi/srfi-1.scm:
    634:9  9 (for-each #<procedure 7f895420bc00 at guix/scripts/lin…> …)
In guix/scripts/lint.scm:
    74:21  8 (_ _)
In guix/lint.scm:
   1178:4  7 (check-vulnerabilities _ _)
   1170:9  6 (_ _)
In unknown file:
           5 (force #<promise #<procedure 7f895af13a88 at guix/lint.…>)
In guix/lint.scm:
   1153:2  4 (_)
   1112:2  3 (call-with-networking-fail-safe _ _ _)
In ice-9/boot-9.scm:
  1736:10  2 (with-exception-handler _ _ #:unwind? _ # _)
  1669:16  1 (raise-exception _ #:continuable? _)
  1667:16  0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1667:16: In procedure raise-exception:
Wrong type (expecting array): #f

Best,
Jack
Reply sent to Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility. (Wed, 21 Apr 2021 22:05:01 GMT) Full text and rfc822 format available.
Notification sent to Jack Hill <jackhill <at> jackhill.us>:
bug acknowledged by developer. (Wed, 21 Apr 2021 22:05:01 GMT) Full text and rfc822 format available.

Message #10 received at 47941-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Jack Hill <jackhill <at> jackhill.us>
Cc: 47941-done <at> debbugs.gnu.org
Subject: Re: bug#47941: guix lint -c cve stacktrace
Date: Thu, 22 Apr 2021 00:04:35 +0200

Hi,

Jack Hill <jackhill <at> jackhill.us> skribis:

> Using guix ae5128e21eb7afa66bd7cfd7fd1bc5764d00663e, the cve lint
> check fails when fetching the CVE database as follows:
>
> $ guix lint -c cve hello
> fetching CVE database for 2021...
> Backtrace:
>           15 (primitive-load "/home/jackhill/.config/guix/current/bi…")
> In guix/ui.scm:
>   2164:12 14 (run-guix-command _ . _)
> In ice-9/boot-9.scm:
>   1736:10 13 (with-exception-handler _ _ #:unwind? _ # _)
>   1731:15 12 (with-exception-handler #<procedure 7f895ab7d000 at ic…> …)
> In srfi/srfi-1.scm:
>     634:9 11 (for-each #<procedure 7f895ab84d80 at guix/scripts/lin…> …)
> In guix/scripts/lint.scm:
>      65:4 10 (run-checkers _ _ #:store _)
> In srfi/srfi-1.scm:
>     634:9  9 (for-each #<procedure 7f895420bc00 at guix/scripts/lin…> …)
> In guix/scripts/lint.scm:
>     74:21  8 (_ _)
> In guix/lint.scm:
>    1178:4  7 (check-vulnerabilities _ _)
>    1170:9  6 (_ _)
> In unknown file:
>            5 (force #<promise #<procedure 7f895af13a88 at guix/lint.…>)
> In guix/lint.scm:
>    1153:2  4 (_)
>    1112:2  3 (call-with-networking-fail-safe _ _ _)
> In ice-9/boot-9.scm:
>   1736:10  2 (with-exception-handler _ _ #:unwind? _ # _)
>   1669:16  1 (raise-exception _ #:continuable? _)
>   1667:16  0 (raise-exception _ #:continuable? _)
>
> ice-9/boot-9.scm:1667:16: In procedure raise-exception:
> Wrong type (expecting array): #f

Fixed:

  https://git.savannah.gnu.org/cgit/guix.git/commit/?id=7dbc2fcb45fac4a0b64fef8efa8c858a047d0498

It looks like a couple of bogus CVE entries crept in.  It’s surprising
because we never encountered such issues before, so I wonder if MITRE
changed something on their side.

Thanks,
Ludo’.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 20 May 2021 11:24:07 GMT) Full text and rfc822 format available.
This bug report was last modified 2 years and 340 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.