(address . email@example.com)(name . Léo Le Bouter)(address . firstname.lastname@example.org)
I'm forwarding this to email@example.com so that it won't be forgotten. Mark -------------------- Start of forwarded message --------------------Subject: security patching of 'patch' packageFrom: Léo Le Bouter <firstname.lastname@example.org>To: email@example.comDate: Wed, 10 Mar 2021 04:14:35 +0100
Hello! I could find that the 'patch' package was vulnerable to numerous CVEsthat other distros like Debian have patched. Here's the list reportedby 'guix lint -c cve patch': firstname.lastname@example.org: probably vulnerable to CVE-2019-13636, CVE-2019-13638,CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-2018-6952 Can I use latest commit from master to build 'patch' then graftoriginal package? i.e. https://git.savannah.gnu.org/git/patch.git There's not that many commits since last release, but lots of time: https://git.savannah.gnu.org/cgit/patch.git/log/ Thank you,Léo
[PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].
(address . email@example.com)(name . Léo Le Bouter)(address . firstname.lastname@example.org)
I tried something, using patch git repo's master instead of release tarballs, Iam not sure the git repo contains all the fixes, we could alternatively justpull patches from Debian. This attempt does not work yet however, it fails on some gnulib source file notbeing found for some reason: gcc: error: parse-datetime.c: No such file or directorygcc: fatal error: no input filescompilation terminated. This file seems to be generated by YACC from earlier log. Léo Le Bouter (1): gnu: patch: Update to 2.7.6-7623b2d [security fixes]. gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) -- 2.30.2
It’s (almost) useless to provide a graft of ‘patch’ because patch isusually a build-time only dependency. (Maybe we can tell it’s notvulnerable to the issues at hand because in that context it’s alwaysgiven controlled input: the package patches.) What could be useful is to provide a second version of patch so thatpeople running ‘guix install patch’ or similar get the newer version. HTH,Ludo’.
I tried building a "fixed" package of patch, cherry-picking bug fixpatches from patch.git. Unfortunately, the patches largely don't apply to the most recentrelease of patch. Since there is no release fixing these bugs, and no clear advice aboutwhich patches to apply, I'm going to stop working on this for now.