(address . bug-guix@gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.
Mark
-------------------- Start of forwarded message --------------------
Subject: security patching of 'patch' package
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Wed, 10 Mar 2021 04:14:35 +0100
Hello!
I could find that the 'patch' package was vulnerable to numerous CVEs
that other distros like Debian have patched. Here's the list reported
by 'guix lint -c cve patch':
patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
2018-6952
Can I use latest commit from master to build 'patch' then graft
original package?
There's not that many commits since last release, but lots of time:
Thank you,
Léo
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBIOZsACgkQRaix6GvN
EKYVKhAAmQbS0q6xgmoC5Eo+T4qYiLrg6EfUMicYO9I1LBDFGfp85XIMjqAtIkiD
2B1XJLzXY7xZheiKBYLjppuq5XHXGMQ80JZi0lQEuoMh0+1DTcvvI0Ugtydjxvas
C9DTlhNTFxm368W7qxYR2JttsUstyweVz27DPY9O62QRUnyHRsJvQXLSI/CHWXFI
3DiXzjjBXowsCu9af69fIzBCBQ6B0QvknryHnix1AeVnSfu/0SM7Bimy5AKOnjkN
cjnHQr5Mc+FIVdOu/pzgNoVmwczVhyu/A8nReYIiePGTMa+CpuEr/Vrexqc3npcX
jYzo4P+d/PRdALGgdOlGMDdlAr3ZVHhS9P5agQe9Q3YeJVVSZzwH6TzFT+0KrENy
2HoM+zKNBE8qVLMuDH9AaZ7XrZyJJDomuDm927ojaSnS0sq0nbzzLWkSNGnL+hXj
5NFCm/QClGySc9DMuZWc76nxn02BTykiKXC03P/GfMJ3B97Lev51h5oEi4TlKsRh
jlMwJBaYp8h6FP6EDJLc8ahaIKN8aooquutFOUXn+IGBmYY1uXTO0V0UJqVz131J
GdmH4SnVqWtCbiKCVLSguAthS6EwSq0EAzEaeUVmi18YA++gOp6N+FQSmjpRkRwX
jVwtTmzYoL/yKx28CoPapFK7pa3ekB0W43nw4/Eb68qpbvlpXxI=
=cESP
-----END PGP SIGNATURE-----