~ruther/guix-local

50b8a527efe375ac5377670ff0f159fbbce45312 — Ludovic Courtès 9 years ago afd5323 
gnu: bash: Add graft for patch #7 [fixes CVE-2017-5932].

* gnu/packages/bash.scm (bash)[replacement]: New field.
(bash-minimal): Likewise.
(url-fetch/reset-patch-level): New procedure.
(bash/fixed): New variable.
patch browse .tar.gz 
1 files changed, 42 insertions(+), 0 deletions(-)

M gnu/packages/bash.scm

M gnu/packages/bash.scm => gnu/packages/bash.scm +42 -0
@@ 28,6 28,9 @@
  #:use-module (guix packages)
  #:use-module (guix download)
  #:use-module (guix utils)
  #:use-module (guix gexp)
  #:use-module (guix monads)
  #:use-module (guix store)
  #:use-module (guix build-system gnu)
  #:autoload   (guix gnupg) (gnupg-verify*)
  #:autoload   (guix hash) (port-sha256)


@@ 95,6 98,7 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
         (version "4.4"))
    (package
     (name "bash")
     (replacement bash/fixed)
     (source (origin
              (method url-fetch)
              (uri (string-append


@@ 181,6 185,7 @@ without modification.")
  ;; A stripped-down Bash for non-interactive use.
  (package (inherit bash)
    (name "bash-minimal")
    (replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion
    (inputs '())                                ; no readline, no curses

    ;; No "include" output because there's no support for loadable modules.


@@ 236,6 241,43 @@ without modification.")
                   (delete-file-recursively (string-append out "/share"))
                   #t))))))))))

(define* (url-fetch/reset-patch-level url hash-algo hash
                                      #:optional name
                                      #:key (system (%current-system)) guile)
  "Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it
can apply to a patch-level 0 Bash."
  (mlet* %store-monad ((name -> (or name (basename url)))
                       (patch (url-fetch url hash-algo hash
                                         (string-append name ".orig")
                                         #:system system
                                         #:guile guile)))
    (gexp->derivation name
                      (with-imported-modules '((guix build utils))
                        #~(begin
                            (use-modules (guix build utils))
                            (copy-file #$patch #$output)
                            (substitute* #$output
                              (("PATCHLEVEL [0-6]+")
                               "PATCHLEVEL 0"))))
                      #:guile-for-build guile
                      #:system system)))

(define bash/fixed                        ;CVE-2017-5932 (RCE with completion)
  (package
    (inherit bash)
    (version "4.4.A")                             ;4.4.0 + patch #7
    (replacement #f)
    (source
     (origin
       (inherit (package-source bash))
       (patches (cons (origin
                        (method url-fetch/reset-patch-level)
                        (uri (patch-url 7))
                        (sha256
                         (base32
                          "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")))
                      (origin-patches (package-source bash))))))))

(define-public bash-completion
  (package
    (name "bash-completion")