gnu: patch: Update to latest commit [security fixes].

* gnu/packages/base.scm (patch): Rename to...
(patch/pinned): ... this.  Hide package.
(patch): New variable.
* gnu/packages/commencement.scm (patch-mesboot): Inherit from patch/pinned.
(patch-boot0): Likewise.
(%final-inputs): Replace patch with patch/pinned.
* gnu/packages/lisp.scm (cl-asdf): Likewise.
* guix/packages.scm (%standard-patch-inputs): Replace patch with patch/pinned.

Fixes: https://issues.guix.gnu.org/47144
Reported-by: Mark H Weaver <mhw@netris.org>
Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873

gnu/packages/base.scm

@@ -19,7 +19,7 @@
 ;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net>
 ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
 ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
-;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe>
 ;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com>
 ;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
@@ -46,8 +46,10 @@
   #:use-module (gnu packages acl)
   #:use-module (gnu packages algebra)
   #:use-module (gnu packages attr)
+  #:use-module (gnu packages autotools)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages bison)
+  #:use-module (gnu packages build-tools)
   #:use-module (gnu packages gcc)
   #:use-module (gnu packages guile)
   #:use-module (gnu packages multiprecision)
@@ -261,35 +263,83 @@ standard utility.")
    (license gpl3+)
    (home-page "https://www.gnu.org/software/tar/")))
 
-(define-public patch
+;;; TODO: Replace/merge with 'patch' on core-updates.
-  (package
+(define-public patch/pinned
-    (name "patch")
+  (hidden-package
-    (version "2.7.6")
+   (package
-    (source (origin
+     (name "patch")
-              (method url-fetch)
+     (version "2.7.6")
-              (uri (string-append "mirror://gnu/patch/patch-"
+     (source (origin
-                                  version ".tar.xz"))
+               (method url-fetch)
-              (sha256
+               (uri (string-append "mirror://gnu/patch/patch-"
-               (base32
+                                   version ".tar.xz"))
-                "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
+               (sha256
-              (patches (search-patches "patch-hurd-path-max.patch"))))
+                (base32
-    (build-system gnu-build-system)
+                 "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
-    (arguments
+               (patches (search-patches "patch-hurd-path-max.patch"))))
-     ;; Work around a cross-compilation bug whereby libpatch.a would provide
+     (build-system gnu-build-system)
-     ;; '__mktime_internal', which conflicts with the one in libc.a.
+     (arguments
-     (if (%current-target-system)
+      ;; Work around a cross-compilation bug whereby libpatch.a would provide
-         `(#:configure-flags '("gl_cv_func_working_mktime=yes"))
+      ;; '__mktime_internal', which conflicts with the one in libc.a.
-         '()))
+      (if (%current-target-system)
-    (native-inputs (list ed))
+          `(#:configure-flags '("gl_cv_func_working_mktime=yes"))
-    (synopsis "Apply differences to originals, with optional backups")
+          '()))
-    (description
+     (native-inputs (list ed))
-     "Patch is a program that applies changes to files based on differences
+     (synopsis "Apply differences to originals, with optional backups")
+     (description
+      "Patch is a program that applies changes to files based on differences
 laid out as by the program \"diff\".  The changes may be applied to one or more
 files depending on the contents of the diff file.  It accepts several
 different diff formats.  It may also be used to revert previously applied
 differences.")
-    (license gpl3+)
+     (license gpl3+)
-    (home-page "https://savannah.gnu.org/projects/patch/")))
+     (home-page "https://savannah.gnu.org/projects/patch/"))))
+
+(define-public patch
+  ;; The latest release is from 2018, and lacks multiple security related
+  ;; patches.  Since Fedora carries 23 patches, simply use the latest commit
+  ;; until a proper release is made.
+  (let ((revision "0")
+        (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92")
+        (base patch/pinned))
+    (package
+      (inherit base)
+      (name "patch")
+      (version (git-version "2.7.6" revision commit))
+      (source (origin
+                (method git-fetch)
+                (uri (git-reference
+                      (url "https://git.savannah.gnu.org/git/patch.git")
+                      (commit commit)))
+                (file-name (git-file-name name version))
+                (sha256
+                 (base32
+                  "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))
+                (patches (search-patches "patch-hurd-path-max.patch"))))
+      (arguments
+       (substitute-keyword-arguments (package-arguments base)
+         ((#:phases phases '%standard-phases)
+          #~(modify-phases #$phases
+              (add-after 'unpack 'copy-gnulib-sources
+                (lambda _
+                  ;; XXX: We copy the source instead of using 'gnulib' as a
+                  ;; native input to avoid introducing a dependency cycle.
+                  (copy-recursively #+gnulib "gnulib")
+                  (setenv "GNULIB_SRCDIR"
+                          (string-append (getcwd) "/gnulib/src/gnulib"))))
+              (add-after 'copy-gnulib-sources 'update-bootstrap-script
+                (lambda _
+                  (copy-file "gnulib/src/gnulib/build-aux/bootstrap"
+                             "bootstrap")))
+              (add-after 'unpack 'patch-configure.ac
+                (lambda _
+                  (substitute* "configure.ac"
+                    ;; The gnulib-provided git-version-gen script has a plain
+                    ;; shebang of #!/bin/sh; avoid using it.
+                    (("build-aux/git-version-gen" all)
+                     (string-append "sh " all)))))))))
+      (native-inputs (list autoconf automake bison ed))
+      (properties '()))))
 
 (define-public diffutils
   (package

gnu/packages/commencement.scm

@@ -878,7 +878,7 @@ MesCC-Tools), and finally M2-Planet.")
 (define patch-mesboot
   ;; The initial patch.
   (package
-    (inherit patch)
+    (inherit patch/pinned)
     (name "patch-mesboot")
     (version "2.5.9")
     (source (origin
@@ -2167,8 +2167,8 @@ exec " gcc "/bin/" program
 
 (define patch-boot0
   (package
-    (inherit patch)
+    (inherit patch/pinned)
-    (source (bootstrap-origin (package-source patch)))
+    (source (bootstrap-origin (package-source patch/pinned)))
     (name "patch-boot0")
     (native-inputs '())
     (inputs
@@ -3482,7 +3482,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
                    ("bzip2" ,bzip2)
                    ("file" ,file)
                    ("diffutils" ,diffutils)
-                   ("patch" ,patch)
+                   ("patch" ,patch/pinned)
                    ("findutils" ,findutils)
                    ("gawk" ,gawk)))
           ("sed" ,sed-final)

gnu/packages/lisp.scm

@@ -382,7 +382,7 @@ interface.")
     (build-system trivial-build-system)
     (native-inputs
      `(("config-patch" ,@(search-patches "cl-asdf-config-directories.patch"))
-       ("patch" ,patch)))
+       ("patch" ,patch/pinned)))
     (arguments
      `(#:modules ((guix build utils)
                   (guix build lisp-utils))

guix/packages.scm

@@ -899,7 +899,7 @@ identifiers.  The result is inferred from the file names of patches."
       ("gzip"  ,(ref '(gnu packages compression) 'gzip))
       ("lzip"  ,(ref '(gnu packages compression) 'lzip))
       ("unzip" ,(ref '(gnu packages compression) 'unzip))
-      ("patch" ,(ref '(gnu packages base) 'patch))
+      ("patch" ,(ref '(gnu packages base) 'patch/pinned))
       ("locales"
        ,(parameterize ((%current-target-system #f)
                        (%current-system system))