From 20c1b4b88d396b6261660e2fda03229094cce62d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Fri, 10 Feb 2017 17:44:31 +0100 Subject: [PATCH] gnu: bash: Remove graft for CVE-2017-5932. * gnu/packages/bash.scm (bash)[replacement]: Remove. (bash-minimal)[replacement]: Remove. (url-fetch/reset-patch-level, bash/fixed): Remove. --- gnu/packages/bash.scm | 41 +---------------------------------------- 1 file changed, 1 insertion(+), 40 deletions(-) diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm index ec9f83519f..910da0b197 100644 --- a/gnu/packages/bash.scm +++ b/gnu/packages/bash.scm @@ -65,7 +65,7 @@ (4 "1cy8abf96hkrjhw921ndr0shlcnc52bg45rn6xri4v5clhq0l25d") (5 "0a8515kyk4zsgmvlqvlganjfr7pq0j6kzpr4d6xx02kpbdr4n7i2") (6 "1f24wgqngmj2mrj9yibwvc2zvlmn5xi53mnw777g3l40c4m2x3ka") - (7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y") + (7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y") ;CVE-2017-5932 (8 "1firw915mjm03hbbw9a70ch3cpgrgnvqjpllgdnn6csr8q04f546") (9 "0g1l56kvw61rpw7dqa9fcl9llkl693h73g631hrhxlm030ddssqb") (10 "01lfhrkdsdkdz8ypzapr614ras23x7ckjnr60aa5bzkaqprccrc4") @@ -110,7 +110,6 @@ number/base32-hash tuples, directly usable in the 'patch-series' form." (version "4.4")) (package (name "bash") - (replacement bash/fixed) (source (origin (method url-fetch) (uri (string-append @@ -204,7 +203,6 @@ without modification.") ;; A stripped-down Bash for non-interactive use. (package (inherit bash) (name "bash-minimal") - (replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion (inputs '()) ; no readline, no curses ;; No "include" output because there's no support for loadable modules. @@ -260,43 +258,6 @@ without modification.") (delete-file-recursively (string-append out "/share")) #t)))))))))) -(define* (url-fetch/reset-patch-level url hash-algo hash - #:optional name - #:key (system (%current-system)) guile) - "Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it -can apply to a patch-level 0 Bash." - (mlet* %store-monad ((name -> (or name (basename url))) - (patch (url-fetch url hash-algo hash - (string-append name ".orig") - #:system system - #:guile guile))) - (gexp->derivation name - (with-imported-modules '((guix build utils)) - #~(begin - (use-modules (guix build utils)) - (copy-file #$patch #$output) - (substitute* #$output - (("PATCHLEVEL [0-6]+") - "PATCHLEVEL 0")))) - #:guile-for-build guile - #:system system))) - -(define bash/fixed ;CVE-2017-5932 (RCE with completion) - (package - (inherit bash) - (version "4.4.A") ;4.4.0 + patch #7 - (replacement #f) - (source - (origin - (inherit (package-source bash)) - (patches (cons (origin - (method url-fetch/reset-patch-level) - (uri (patch-url 7)) - (sha256 - (base32 - "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y"))) - (origin-patches (package-source bash)))))))) - (define-public bash-completion (package (name "bash-completion")