aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2017-02-10 10:34:33 +0100
committerLudovic Courtès <ludo@gnu.org>2017-02-10 16:44:57 +0100
commit50b8a527efe375ac5377670ff0f159fbbce45312 (patch)
treea367acc2ab781b229f516835bdec4cb68d503d74
parentafd532337821f4bdfe9d1f0b6387a1c26df1f458 (diff)
downloadguix-50b8a527efe375ac5377670ff0f159fbbce45312.tar.gz
guix-50b8a527efe375ac5377670ff0f159fbbce45312.zip
gnu: bash: Add graft for patch #7 [fixes CVE-2017-5932].
* gnu/packages/bash.scm (bash)[replacement]: New field. (bash-minimal): Likewise. (url-fetch/reset-patch-level): New procedure. (bash/fixed): New variable.
-rw-r--r--gnu/packages/bash.scm42
1 files changed, 42 insertions, 0 deletions
diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm
index dcf771aef0..c121fd84d6 100644
--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@@ -28,6 +28,9 @@
#:use-module (guix packages)
#:use-module (guix download)
#:use-module (guix utils)
+ #:use-module (guix gexp)
+ #:use-module (guix monads)
+ #:use-module (guix store)
#:use-module (guix build-system gnu)
#:autoload (guix gnupg) (gnupg-verify*)
#:autoload (guix hash) (port-sha256)
@@ -95,6 +98,7 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
(version "4.4"))
(package
(name "bash")
+ (replacement bash/fixed)
(source (origin
(method url-fetch)
(uri (string-append
@@ -181,6 +185,7 @@ without modification.")
;; A stripped-down Bash for non-interactive use.
(package (inherit bash)
(name "bash-minimal")
+ (replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion
(inputs '()) ; no readline, no curses
;; No "include" output because there's no support for loadable modules.
@@ -236,6 +241,43 @@ without modification.")
(delete-file-recursively (string-append out "/share"))
#t))))))))))
+(define* (url-fetch/reset-patch-level url hash-algo hash
+ #:optional name
+ #:key (system (%current-system)) guile)
+ "Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it
+can apply to a patch-level 0 Bash."
+ (mlet* %store-monad ((name -> (or name (basename url)))
+ (patch (url-fetch url hash-algo hash
+ (string-append name ".orig")
+ #:system system
+ #:guile guile)))
+ (gexp->derivation name
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils))
+ (copy-file #$patch #$output)
+ (substitute* #$output
+ (("PATCHLEVEL [0-6]+")
+ "PATCHLEVEL 0"))))
+ #:guile-for-build guile
+ #:system system)))
+
+(define bash/fixed ;CVE-2017-5932 (RCE with completion)
+ (package
+ (inherit bash)
+ (version "4.4.A") ;4.4.0 + patch #7
+ (replacement #f)
+ (source
+ (origin
+ (inherit (package-source bash))
+ (patches (cons (origin
+ (method url-fetch/reset-patch-level)
+ (uri (patch-url 7))
+ (sha256
+ (base32
+ "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")))
+ (origin-patches (package-source bash))))))))
+
(define-public bash-completion
(package
(name "bash-completion")