security patching of 'patch' package

OpenSubmitted by Mark H Weaver.
Details
4 participants
  • Leo Famulari
  • Léo Le Bouter
  • Ludovic Courtès
  • Mark H Weaver
Owner
unassigned
Severity
normal
M
M
Mark H Weaver wrote on 14 Mar 22:37 +0100
(address . bug-guix@gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
877dm9s9fz.fsf@netris.org
I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.
Mark
-------------------- Start of forwarded message --------------------Subject: security patching of 'patch' packageFrom: Léo Le Bouter <lle-bout@zaclys.net>To: guix-devel@gnu.orgDate: Wed, 10 Mar 2021 04:14:35 +0100
Hello!
I could find that the 'patch' package was vulnerable to numerous CVEsthat other distros like Debian have patched. Here's the list reportedby 'guix lint -c cve patch':
patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-2018-6952
Can I use latest commit from master to build 'patch' then graftoriginal package?
i.e. https://git.savannah.gnu.org/git/patch.git
There's not that many commits since last release, but lots of time: https://git.savannah.gnu.org/cgit/patch.git/log/
Thank you,Léo
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBIOZsACgkQRaix6GvNEKYVKhAAmQbS0q6xgmoC5Eo+T4qYiLrg6EfUMicYO9I1LBDFGfp85XIMjqAtIkiD2B1XJLzXY7xZheiKBYLjppuq5XHXGMQ80JZi0lQEuoMh0+1DTcvvI0UgtydjxvasC9DTlhNTFxm368W7qxYR2JttsUstyweVz27DPY9O62QRUnyHRsJvQXLSI/CHWXFI3DiXzjjBXowsCu9af69fIzBCBQ6B0QvknryHnix1AeVnSfu/0SM7Bimy5AKOnjkNcjnHQr5Mc+FIVdOu/pzgNoVmwczVhyu/A8nReYIiePGTMa+CpuEr/Vrexqc3npcXjYzo4P+d/PRdALGgdOlGMDdlAr3ZVHhS9P5agQe9Q3YeJVVSZzwH6TzFT+0KrENy2HoM+zKNBE8qVLMuDH9AaZ7XrZyJJDomuDm927ojaSnS0sq0nbzzLWkSNGnL+hXj5NFCm/QClGySc9DMuZWc76nxn02BTykiKXC03P/GfMJ3B97Lev51h5oEi4TlKsRhjlMwJBaYp8h6FP6EDJLc8ahaIKN8aooquutFOUXn+IGBmYY1uXTO0V0UJqVz131JGdmH4SnVqWtCbiKCVLSguAthS6EwSq0EAzEaeUVmi18YA++gOp6N+FQSmjpRkRwXjVwtTmzYoL/yKx28CoPapFK7pa3ekB0W43nw4/Eb68qpbvlpXxI==cESP-----END PGP SIGNATURE-----
-------------------- End of forwarded message --------------------
L
L
Ludovic Courtès wrote on 15 Mar 14:42 +0100
control message for bug #47144
(address . control@debbugs.gnu.org)
87r1kgh6so.fsf@gnu.org
tags 47144 + securityquit
L
L
Léo Le Bouter wrote on 15 Mar 19:26 +0100
[PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].
(address . 47144@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210315182605.25973-1-lle-bout@zaclys.net
I tried something, using patch git repo's master instead of release tarballs, Iam not sure the git repo contains all the fixes, we could alternatively justpull patches from Debian.
This attempt does not work yet however, it fails on some gnulib source file notbeing found for some reason:
gcc: error: parse-datetime.c: No such file or directorygcc: fatal error: no input filescompilation terminated.
This file seems to be generated by YACC from earlier log.
Léo Le Bouter (1): gnu: patch: Update to 2.7.6-7623b2d [security fixes].
gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+)
-- 2.30.2
L
L
Léo Le Bouter wrote on 15 Mar 19:26 +0100
[PATCH 1/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes].
(address . 47144@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210315182605.25973-2-lle-bout@zaclys.net
* gnu/packages/base.scm (patch/fixed): New variable.(patch)[replacement]: Graft.--- gnu/packages/base.scm | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+)
Toggle diff (72 lines)diff --git a/gnu/packages/base.scm b/gnu/packages/base.scmindex 9aa69cfe77..a71b47ac4f 100644--- a/gnu/packages/base.scm+++ b/gnu/packages/base.scm@@ -46,12 +46,14 @@ #:use-module (gnu packages compression) #:use-module (gnu packages perl) #:use-module (gnu packages linux)+ #:use-module (gnu packages autotools) #:use-module (gnu packages pcre) #:use-module (gnu packages texinfo) #:use-module (gnu packages hurd) #:use-module (gnu packages pkg-config) #:use-module (gnu packages python) #:use-module (gnu packages gettext)+ #:use-module (gnu packages version-control) #:use-module (guix i18n) #:use-module (guix utils) #:use-module (guix packages)@@ -228,6 +230,7 @@ standard utility.") (base32 "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc")) (patches (search-patches "patch-hurd-path-max.patch"))))+ (replacement patch/fixed) (build-system gnu-build-system) (arguments ;; Work around a cross-compilation bug whereby libpatch.a would provide@@ -246,6 +249,42 @@ differences.") (license gpl3+) (home-page "https://savannah.gnu.org/projects/patch/"))) +(define patch/fixed+ (let ((commit "7623b2dc0d1837ecfd58f32efc78e35834deeb38"))+ (package/inherit patch+ (name "patch")+ (version "2.7.6")+ ;; (version (string-append "2.7.6-" (string-take commit 7)))+ (source+ (origin+ (method git-fetch)+ (uri (git-reference+ (url "https://git.savannah.gnu.org/git/patch.git")+ (commit commit)+ (recursive? #t)))+ (file-name (git-file-name name version))+ (sha256+ (base32+ "0k3i95gkbi21lipadlg1zd03d928b65x322q08xgdg461vnw2i6h"))+ (patches (search-patches "patch-hurd-path-max.patch"))))+ (arguments+ (substitute-keyword-arguments (package-arguments patch)+ ((#:phases phases '%standard-phases)+ `(modify-phases ,phases+ (replace 'bootstrap+ (lambda* (#:key inputs #:allow-other-keys)+ (substitute* (list "gnulib/gnulib-tool"+ "gnulib/build-aux/git-version-gen")+ (("/bin/sh") (which "sh")))+ (invoke "bash" "bootstrap" "--no-git"+ "--gnulib-srcdir=gnulib")+ #t))))))+ (native-inputs+ `(("autoconf" ,autoconf)+ ("automake" ,automake)+ ("git" ,git-minimal)+ ,@(package-native-inputs patch))))))+ (define-public diffutils (package (name "diffutils")-- 2.30.2
L
L
Ludovic Courtès wrote on 18 Mar 22:58 +0100
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)
87lfakjf8f.fsf@gnu.org
Hi,
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> skribis:
Toggle quote (3 lines)> * gnu/packages/base.scm (patch/fixed): New variable.> (patch)[replacement]: Graft.
It’s (almost) useless to provide a graft of ‘patch’ because patch isusually a build-time only dependency. (Maybe we can tell it’s notvulnerable to the issues at hand because in that context it’s alwaysgiven controlled input: the package patches.)
What could be useful is to provide a second version of patch so thatpeople running ‘guix install patch’ or similar get the newer version.
HTH,Ludo’.
L
L
Leo Famulari wrote on 24 Mar 05:06 +0100
(no subject)
(address . control@debbugs.gnu.org)
YFq6wUqi070//Gk+@jasmine.lan
block 47297 with 47140block 47297 with 47141block 47297 with 47142block 47297 with 47143block 47297 with 47144
L
L
Leo Famulari wrote on 14 Apr 23:54 +0200
Re: bug#47144: security patching of 'patch' package
(name . Mark H Weaver)(address . mhw@netris.org)(address . 47144@debbugs.gnu.org)
YHdklP7565AtJ4uR@jasmine.lan
On Sun, Mar 14, 2021 at 05:37:25PM -0400, Mark H Weaver wrote:
Toggle quote (4 lines)> patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,> CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-> 2018-6952
I tried building a "fixed" package of patch, cherry-picking bug fixpatches from patch.git.
Unfortunately, the patches largely don't apply to the most recentrelease of patch.
Since there is no release fixing these bugs, and no clear advice aboutwhich patches to apply, I'm going to stop working on this for now.
L
L
Leo Famulari wrote on 14 Apr 23:54 +0200
(no subject)
(address . control@debbugs.gnu.org)
YHdksDadnrKDcbUD@jasmine.lan
unblock 47297 with 47144
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 47144@debbugs.gnu.org