gnu: bash: Add graft for patch #7 [fixes CVE-2017-5932].
* gnu/packages/bash.scm (bash)[replacement]: New field. (bash-minimal): Likewise. (url-fetch/reset-patch-level): New procedure. (bash/fixed): New variable.master
Ludovic Courtès
parent
afd5323378
commit
50b8a527ef
|
|
@ -28,6 +28,9 @@
|
||||||
#:use-module (guix packages)
|
#:use-module (guix packages)
|
||||||
#:use-module (guix download)
|
#:use-module (guix download)
|
||||||
#:use-module (guix utils)
|
#:use-module (guix utils)
|
||||||
|
#:use-module (guix gexp)
|
||||||
|
#:use-module (guix monads)
|
||||||
|
#:use-module (guix store)
|
||||||
#:use-module (guix build-system gnu)
|
#:use-module (guix build-system gnu)
|
||||||
#:autoload (guix gnupg) (gnupg-verify*)
|
#:autoload (guix gnupg) (gnupg-verify*)
|
||||||
#:autoload (guix hash) (port-sha256)
|
#:autoload (guix hash) (port-sha256)
|
||||||
|
|
@ -95,6 +98,7 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
|
||||||
(version "4.4"))
|
(version "4.4"))
|
||||||
(package
|
(package
|
||||||
(name "bash")
|
(name "bash")
|
||||||
|
(replacement bash/fixed)
|
||||||
(source (origin
|
(source (origin
|
||||||
(method url-fetch)
|
(method url-fetch)
|
||||||
(uri (string-append
|
(uri (string-append
|
||||||
|
|
@ -181,6 +185,7 @@ without modification.")
|
||||||
;; A stripped-down Bash for non-interactive use.
|
;; A stripped-down Bash for non-interactive use.
|
||||||
(package (inherit bash)
|
(package (inherit bash)
|
||||||
(name "bash-minimal")
|
(name "bash-minimal")
|
||||||
|
(replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion
|
||||||
(inputs '()) ; no readline, no curses
|
(inputs '()) ; no readline, no curses
|
||||||
|
|
||||||
;; No "include" output because there's no support for loadable modules.
|
;; No "include" output because there's no support for loadable modules.
|
||||||
|
|
@ -236,6 +241,43 @@ without modification.")
|
||||||
(delete-file-recursively (string-append out "/share"))
|
(delete-file-recursively (string-append out "/share"))
|
||||||
#t))))))))))
|
#t))))))))))
|
||||||
|
|
||||||
|
(define* (url-fetch/reset-patch-level url hash-algo hash
|
||||||
|
#:optional name
|
||||||
|
#:key (system (%current-system)) guile)
|
||||||
|
"Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it
|
||||||
|
can apply to a patch-level 0 Bash."
|
||||||
|
(mlet* %store-monad ((name -> (or name (basename url)))
|
||||||
|
(patch (url-fetch url hash-algo hash
|
||||||
|
(string-append name ".orig")
|
||||||
|
#:system system
|
||||||
|
#:guile guile)))
|
||||||
|
(gexp->derivation name
|
||||||
|
(with-imported-modules '((guix build utils))
|
||||||
|
#~(begin
|
||||||
|
(use-modules (guix build utils))
|
||||||
|
(copy-file #$patch #$output)
|
||||||
|
(substitute* #$output
|
||||||
|
(("PATCHLEVEL [0-6]+")
|
||||||
|
"PATCHLEVEL 0"))))
|
||||||
|
#:guile-for-build guile
|
||||||
|
#:system system)))
|
||||||
|
|
||||||
|
(define bash/fixed ;CVE-2017-5932 (RCE with completion)
|
||||||
|
(package
|
||||||
|
(inherit bash)
|
||||||
|
(version "4.4.A") ;4.4.0 + patch #7
|
||||||
|
(replacement #f)
|
||||||
|
(source
|
||||||
|
(origin
|
||||||
|
(inherit (package-source bash))
|
||||||
|
(patches (cons (origin
|
||||||
|
(method url-fetch/reset-patch-level)
|
||||||
|
(uri (patch-url 7))
|
||||||
|
(sha256
|
||||||
|
(base32
|
||||||
|
"1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")))
|
||||||
|
(origin-patches (package-source bash))))))))
|
||||||
|
|
||||||
(define-public bash-completion
|
(define-public bash-completion
|
||||||
(package
|
(package
|
||||||
(name "bash-completion")
|
(name "bash-completion")
|
||||||
|
|
|
||||||
Reference in New Issue