gnu: bash: Remove graft for CVE-2017-5932.

* gnu/packages/bash.scm (bash)[replacement]: Remove. (bash-minimal)[replacement]: Remove. (url-fetch/reset-patch-level, bash/fixed): Remove.
2017-02-10 17:44:31 +01:00 · 2017-02-10 17:44:31 +01:00 · 20c1b4b88d
parent 768f0ac9dd
commit 20c1b4b88d
1 changed files with 1 additions and 40 deletions
--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@ -65,7 +65,7 @@
   (4 "1cy8abf96hkrjhw921ndr0shlcnc52bg45rn6xri4v5clhq0l25d")
   (5 "0a8515kyk4zsgmvlqvlganjfr7pq0j6kzpr4d6xx02kpbdr4n7i2")
   (6 "1f24wgqngmj2mrj9yibwvc2zvlmn5xi53mnw777g3l40c4m2x3ka")
-   (7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")
+   (7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y") ;CVE-2017-5932
   (8 "1firw915mjm03hbbw9a70ch3cpgrgnvqjpllgdnn6csr8q04f546")
   (9 "0g1l56kvw61rpw7dqa9fcl9llkl693h73g631hrhxlm030ddssqb")
   (10 "01lfhrkdsdkdz8ypzapr614ras23x7ckjnr60aa5bzkaqprccrc4")
@ -110,7 +110,6 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
         (version "4.4"))
    (package
     (name "bash")
-     (replacement bash/fixed)
     (source (origin
              (method url-fetch)
              (uri (string-append
@ -204,7 +203,6 @@ without modification.")
  ;; A stripped-down Bash for non-interactive use.
  (package (inherit bash)
    (name "bash-minimal")
-    (replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion
    (inputs '())                                ; no readline, no curses

    ;; No "include" output because there's no support for loadable modules.
@ -260,43 +258,6 @@ without modification.")
                   (delete-file-recursively (string-append out "/share"))
                   #t))))))))))

-(define* (url-fetch/reset-patch-level url hash-algo hash
-                                      #:optional name
-                                      #:key (system (%current-system)) guile)
-  "Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it
-can apply to a patch-level 0 Bash."
-  (mlet* %store-monad ((name -> (or name (basename url)))
-                       (patch (url-fetch url hash-algo hash
-                                         (string-append name ".orig")
-                                         #:system system
-                                         #:guile guile)))
-    (gexp->derivation name
-                      (with-imported-modules '((guix build utils))
-                        #~(begin
-                            (use-modules (guix build utils))
-                            (copy-file #$patch #$output)
-                            (substitute* #$output
-                              (("PATCHLEVEL [0-6]+")
-                               "PATCHLEVEL 0"))))
-                      #:guile-for-build guile
-                      #:system system)))
-
-(define bash/fixed                        ;CVE-2017-5932 (RCE with completion)
-  (package
-    (inherit bash)
-    (version "4.4.A")                             ;4.4.0 + patch #7
-    (replacement #f)
-    (source
-     (origin
-       (inherit (package-source bash))
-       (patches (cons (origin
-                        (method url-fetch/reset-patch-level)
-                        (uri (patch-url 7))
-                        (sha256
-                         (base32
-                          "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")))
-                      (origin-patches (package-source bash))))))))
-
 (define-public bash-completion
  (package
    (name "bash-completion")