security patching of 'patch' package

OpenSubmitted by Mark H Weaver.
Details
5 participants
  • Leo Famulari
  • Léo Le Bouter
  • Ludovic Courtès
  • Maxim Cournoyer
  • Mark H Weaver
Owner
unassigned
Severity
normal
M
M
Mark H Weaver wrote on 14 Mar 2021 22:37
(address . bug-guix@gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
877dm9s9fz.fsf@netris.org
I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.

Mark

-------------------- Start of forwarded message --------------------
Subject: security patching of 'patch' package
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Wed, 10 Mar 2021 04:14:35 +0100
Hello!

I could find that the 'patch' package was vulnerable to numerous CVEs
that other distros like Debian have patched. Here's the list reported
by 'guix lint -c cve patch':

patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
2018-6952

Can I use latest commit from master to build 'patch' then graft
original package?


There's not that many commits since last release, but lots of time:

Thank you,
Léo
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBIOZsACgkQRaix6GvN
EKYVKhAAmQbS0q6xgmoC5Eo+T4qYiLrg6EfUMicYO9I1LBDFGfp85XIMjqAtIkiD
2B1XJLzXY7xZheiKBYLjppuq5XHXGMQ80JZi0lQEuoMh0+1DTcvvI0Ugtydjxvas
C9DTlhNTFxm368W7qxYR2JttsUstyweVz27DPY9O62QRUnyHRsJvQXLSI/CHWXFI
3DiXzjjBXowsCu9af69fIzBCBQ6B0QvknryHnix1AeVnSfu/0SM7Bimy5AKOnjkN
cjnHQr5Mc+FIVdOu/pzgNoVmwczVhyu/A8nReYIiePGTMa+CpuEr/Vrexqc3npcX
jYzo4P+d/PRdALGgdOlGMDdlAr3ZVHhS9P5agQe9Q3YeJVVSZzwH6TzFT+0KrENy
2HoM+zKNBE8qVLMuDH9AaZ7XrZyJJDomuDm927ojaSnS0sq0nbzzLWkSNGnL+hXj
5NFCm/QClGySc9DMuZWc76nxn02BTykiKXC03P/GfMJ3B97Lev51h5oEi4TlKsRh
jlMwJBaYp8h6FP6EDJLc8ahaIKN8aooquutFOUXn+IGBmYY1uXTO0V0UJqVz131J
GdmH4SnVqWtCbiKCVLSguAthS6EwSq0EAzEaeUVmi18YA++gOp6N+FQSmjpRkRwX
jVwtTmzYoL/yKx28CoPapFK7pa3ekB0W43nw4/Eb68qpbvlpXxI=
=cESP
-----END PGP SIGNATURE-----

-------------------- End of forwarded message --------------------
L
L
Ludovic Courtès wrote on 15 Mar 2021 14:42
control message for bug #47144
(address . control@debbugs.gnu.org)
87r1kgh6so.fsf@gnu.org
tags 47144 + security
quit
L
L
Léo Le Bouter wrote on 15 Mar 2021 19:26
[PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].
(address . 47144@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210315182605.25973-1-lle-bout@zaclys.net
I tried something, using patch git repo's master instead of release tarballs, I
am not sure the git repo contains all the fixes, we could alternatively just
pull patches from Debian.

This attempt does not work yet however, it fails on some gnulib source file not
being found for some reason:

gcc: error: parse-datetime.c: No such file or directory
gcc: fatal error: no input files
compilation terminated.

This file seems to be generated by YACC from earlier log.

Léo Le Bouter (1):
gnu: patch: Update to 2.7.6-7623b2d [security fixes].

gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)

--
2.30.2
L
L
Léo Le Bouter wrote on 15 Mar 2021 19:26
[PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].
(address . 47144@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210315182605.25973-2-lle-bout@zaclys.net
* gnu/packages/base.scm (patch/fixed): New variable.
(patch)[replacement]: Graft.
---
gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)

Toggle diff (72 lines)
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 9aa69cfe77..a71b47ac4f 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -46,12 +46,14 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages linux)
+  #:use-module (gnu packages autotools)
   #:use-module (gnu packages pcre)
   #:use-module (gnu packages texinfo)
   #:use-module (gnu packages hurd)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages python)
   #:use-module (gnu packages gettext)
+  #:use-module (gnu packages version-control)
   #:use-module (guix i18n)
   #:use-module (guix utils)
   #:use-module (guix packages)
@@ -228,6 +230,7 @@ standard utility.")
                (base32
                 "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
               (patches (search-patches "patch-hurd-path-max.patch"))))
+   (replacement patch/fixed)
    (build-system gnu-build-system)
    (arguments
     ;; Work around a cross-compilation bug whereby libpatch.a would provide
@@ -246,6 +249,42 @@ differences.")
    (license gpl3+)
    (home-page "https://savannah.gnu.org/projects/patch/")))
 
+(define patch/fixed
+  (let ((commit "7623b2dc0d1837ecfd58f32efc78e35834deeb38"))
+    (package/inherit patch
+      (name "patch")
+      (version "2.7.6")
+      ;; (version (string-append "2.7.6-" (string-take commit 7)))
+      (source
+       (origin
+         (method git-fetch)
+         (uri (git-reference
+               (url "https://git.savannah.gnu.org/git/patch.git")
+               (commit commit)
+               (recursive? #t)))
+         (file-name (git-file-name name version))
+         (sha256
+          (base32
+           "0k3i95gkbi21lipadlg1zd03d928b65x322q08xgdg461vnw2i6h"))
+         (patches (search-patches "patch-hurd-path-max.patch"))))
+      (arguments
+       (substitute-keyword-arguments (package-arguments patch)
+         ((#:phases phases '%standard-phases)
+           `(modify-phases ,phases
+             (replace 'bootstrap
+               (lambda* (#:key inputs #:allow-other-keys)
+                 (substitute* (list "gnulib/gnulib-tool"
+                                    "gnulib/build-aux/git-version-gen")
+                   (("/bin/sh") (which "sh")))
+                 (invoke "bash" "bootstrap" "--no-git"
+                         "--gnulib-srcdir=gnulib")
+                 #t))))))
+      (native-inputs
+       `(("autoconf" ,autoconf)
+         ("automake" ,automake)
+         ("git" ,git-minimal)
+         ,@(package-native-inputs patch))))))
+
 (define-public diffutils
   (package
    (name "diffutils")
-- 
2.30.2
L
L
Ludovic Courtès wrote on 18 Mar 2021 22:58
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)
87lfakjf8f.fsf@gnu.org
Hi,

Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> skribis:

Toggle quote (3 lines)
> * gnu/packages/base.scm (patch/fixed): New variable.
> (patch)[replacement]: Graft.

It’s (almost) useless to provide a graft of ‘patch’ because patch is
usually a build-time only dependency. (Maybe we can tell it’s not
vulnerable to the issues at hand because in that context it’s always
given controlled input: the package patches.)

What could be useful is to provide a second version of patch so that
people running ‘guix install patch’ or similar get the newer version.

HTH,
Ludo’.
L
L
Leo Famulari wrote on 24 Mar 2021 05:06
(no subject)
(address . control@debbugs.gnu.org)
YFq6wUqi070//Gk+@jasmine.lan
block 47297 with 47140
block 47297 with 47141
block 47297 with 47142
block 47297 with 47143
block 47297 with 47144
L
L
Leo Famulari wrote on 14 Apr 2021 23:54
Re: bug#47144: security patching of 'patch' package
(name . Mark H Weaver)(address . mhw@netris.org)(address . 47144@debbugs.gnu.org)
YHdklP7565AtJ4uR@jasmine.lan
On Sun, Mar 14, 2021 at 05:37:25PM -0400, Mark H Weaver wrote:
Toggle quote (4 lines)
> patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
> CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
> 2018-6952

I tried building a "fixed" package of patch, cherry-picking bug fix
patches from patch.git.

Unfortunately, the patches largely don't apply to the most recent
release of patch.

Since there is no release fixing these bugs, and no clear advice about
which patches to apply, I'm going to stop working on this for now.
L
L
Leo Famulari wrote on 14 Apr 2021 23:54
(no subject)
(address . control@debbugs.gnu.org)
YHdksDadnrKDcbUD@jasmine.lan
unblock 47297 with 47144
M
M
Maxim Cournoyer wrote on 23 Mar 04:03 +0100
Re: bug#47144: security patching of 'patch' package
(name . Ludovic Courtès)(address . ludo@gnu.org)
87mthhz7xo.fsf_-_@gmail.com
Hi,

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (15 lines)
> Hi,
>
> Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> skribis:
>
>> * gnu/packages/base.scm (patch/fixed): New variable.
>> (patch)[replacement]: Graft.
>
> It’s (almost) useless to provide a graft of ‘patch’ because patch is
> usually a build-time only dependency. (Maybe we can tell it’s not
> vulnerable to the issues at hand because in that context it’s always
> given controlled input: the package patches.)
>
> What could be useful is to provide a second version of patch so that
> people running ‘guix install patch’ or similar get the newer version.

The latest release of patch is the one we have, v2.7.6, made 4 years
ago.

Thanks,

Maxim
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 47144@debbugs.gnu.org