gnu: bash: Remove graft for CVE-2017-5932.
* gnu/packages/bash.scm (bash)[replacement]: Remove. (bash-minimal)[replacement]: Remove. (url-fetch/reset-patch-level, bash/fixed): Remove.master
Ludovic Courtès
parent
768f0ac9dd
commit
20c1b4b88d
|
|
@ -65,7 +65,7 @@
|
||||||
(4 "1cy8abf96hkrjhw921ndr0shlcnc52bg45rn6xri4v5clhq0l25d")
|
(4 "1cy8abf96hkrjhw921ndr0shlcnc52bg45rn6xri4v5clhq0l25d")
|
||||||
(5 "0a8515kyk4zsgmvlqvlganjfr7pq0j6kzpr4d6xx02kpbdr4n7i2")
|
(5 "0a8515kyk4zsgmvlqvlganjfr7pq0j6kzpr4d6xx02kpbdr4n7i2")
|
||||||
(6 "1f24wgqngmj2mrj9yibwvc2zvlmn5xi53mnw777g3l40c4m2x3ka")
|
(6 "1f24wgqngmj2mrj9yibwvc2zvlmn5xi53mnw777g3l40c4m2x3ka")
|
||||||
(7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")
|
(7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y") ;CVE-2017-5932
|
||||||
(8 "1firw915mjm03hbbw9a70ch3cpgrgnvqjpllgdnn6csr8q04f546")
|
(8 "1firw915mjm03hbbw9a70ch3cpgrgnvqjpllgdnn6csr8q04f546")
|
||||||
(9 "0g1l56kvw61rpw7dqa9fcl9llkl693h73g631hrhxlm030ddssqb")
|
(9 "0g1l56kvw61rpw7dqa9fcl9llkl693h73g631hrhxlm030ddssqb")
|
||||||
(10 "01lfhrkdsdkdz8ypzapr614ras23x7ckjnr60aa5bzkaqprccrc4")
|
(10 "01lfhrkdsdkdz8ypzapr614ras23x7ckjnr60aa5bzkaqprccrc4")
|
||||||
|
|
@ -110,7 +110,6 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
|
||||||
(version "4.4"))
|
(version "4.4"))
|
||||||
(package
|
(package
|
||||||
(name "bash")
|
(name "bash")
|
||||||
(replacement bash/fixed)
|
|
||||||
(source (origin
|
(source (origin
|
||||||
(method url-fetch)
|
(method url-fetch)
|
||||||
(uri (string-append
|
(uri (string-append
|
||||||
|
|
@ -204,7 +203,6 @@ without modification.")
|
||||||
;; A stripped-down Bash for non-interactive use.
|
;; A stripped-down Bash for non-interactive use.
|
||||||
(package (inherit bash)
|
(package (inherit bash)
|
||||||
(name "bash-minimal")
|
(name "bash-minimal")
|
||||||
(replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion
|
|
||||||
(inputs '()) ; no readline, no curses
|
(inputs '()) ; no readline, no curses
|
||||||
|
|
||||||
;; No "include" output because there's no support for loadable modules.
|
;; No "include" output because there's no support for loadable modules.
|
||||||
|
|
@ -260,43 +258,6 @@ without modification.")
|
||||||
(delete-file-recursively (string-append out "/share"))
|
(delete-file-recursively (string-append out "/share"))
|
||||||
#t))))))))))
|
#t))))))))))
|
||||||
|
|
||||||
(define* (url-fetch/reset-patch-level url hash-algo hash
|
|
||||||
#:optional name
|
|
||||||
#:key (system (%current-system)) guile)
|
|
||||||
"Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it
|
|
||||||
can apply to a patch-level 0 Bash."
|
|
||||||
(mlet* %store-monad ((name -> (or name (basename url)))
|
|
||||||
(patch (url-fetch url hash-algo hash
|
|
||||||
(string-append name ".orig")
|
|
||||||
#:system system
|
|
||||||
#:guile guile)))
|
|
||||||
(gexp->derivation name
|
|
||||||
(with-imported-modules '((guix build utils))
|
|
||||||
#~(begin
|
|
||||||
(use-modules (guix build utils))
|
|
||||||
(copy-file #$patch #$output)
|
|
||||||
(substitute* #$output
|
|
||||||
(("PATCHLEVEL [0-6]+")
|
|
||||||
"PATCHLEVEL 0"))))
|
|
||||||
#:guile-for-build guile
|
|
||||||
#:system system)))
|
|
||||||
|
|
||||||
(define bash/fixed ;CVE-2017-5932 (RCE with completion)
|
|
||||||
(package
|
|
||||||
(inherit bash)
|
|
||||||
(version "4.4.A") ;4.4.0 + patch #7
|
|
||||||
(replacement #f)
|
|
||||||
(source
|
|
||||||
(origin
|
|
||||||
(inherit (package-source bash))
|
|
||||||
(patches (cons (origin
|
|
||||||
(method url-fetch/reset-patch-level)
|
|
||||||
(uri (patch-url 7))
|
|
||||||
(sha256
|
|
||||||
(base32
|
|
||||||
"1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")))
|
|
||||||
(origin-patches (package-source bash))))))))
|
|
||||||
|
|
||||||
(define-public bash-completion
|
(define-public bash-completion
|
||||||
(package
|
(package
|
||||||
(name "bash-completion")
|
(name "bash-completion")
|
||||||
|
|
|
||||||
Reference in New Issue