bug#47144: closed (security patching of 'patch' package)

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47144: closed (security patching of 'patch' package)

From:	GNU bug Tracking System
Subject:	bug#47144: closed (security patching of 'patch' package)
Date:	Mon, 24 Jun 2024 05:17:04 +0000

Your message dated Mon, 24 Jun 2024 00:43:46 -0400
with message-id <87cyo70x31.fsf_-_@gmail.com>
and subject line Re: bug#47144: security patching of 'patch' package
has caused the debbugs.gnu.org bug report #47144,
regarding security patching of 'patch' package
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
47144: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=47144
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

--- Begin Message --- Subject: security patching of 'patch' package Date: Sun, 14 Mar 2021 17:37:25 -0400

I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.

       Mark

-------------------- Start of forwarded message --------------------
Subject: security patching of 'patch' package
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Wed, 10 Mar 2021 04:14:35 +0100

Hello!

I could find that the 'patch' package was vulnerable to numerous CVEs
that other distros like Debian have patched. Here's the list reported
by 'guix lint -c cve patch':

patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
2018-6952

Can I use latest commit from master to build 'patch' then graft
original package?

i.e. https://git.savannah.gnu.org/git/patch.git

There's not that many commits since last release, but lots of time: 
https://git.savannah.gnu.org/cgit/patch.git/log/

Thank you,
Léo

signature.asc
Description: This is a digitally signed message part

-------------------- End of forwarded message --------------------

--- End Message ---

--- Begin Message --- Subject: Re: bug#47144: security patching of 'patch' package Date: Mon, 24 Jun 2024 00:43:46 -0400 User-agent: Gnus/5.13 (Gnus v5.13)

Hi,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

> * gnu/packages/base.scm (patch): Rename to...
> (patch/pinned): ... this.  Hide package.
> (patch): New variable.
> * gnu/packages/commencement.scm (patch-mesboot): Inherit from patch/pinned.
> (patch-boot0): Likewise.
> (%final-inputs): Replace patch with patch/pinned.
> * gnu/packages/lisp.scm (cl-asdf): Likewise.
> * guix/packages.scm (%standard-patch-inputs): Replace patch with patch/pinned.
>
> Fixes: https://issues.guix.gnu.org/47144
> Reported-by: Mark H Weaver <mhw@netris.org>
> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873

Applied locally and will push shortly.

-- 
Thanks,
Maxim

--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

bug#47144: closed (security patching of 'patch' package), GNU bug Tracking System <=

Prev by Date: bug#71565: closed ([PATCH] gnu: ibus-minimal: Graft to 1.5.29.)
Next by Date: bug#71671: closed ([PATCH]: Update sbcl-trivial-clipboard to 0.0.0-8.50b3d3a)
Previous by thread: bug#71565: closed ([PATCH] gnu: ibus-minimal: Graft to 1.5.29.)
Next by thread: bug#71671: closed ([PATCH]: Update sbcl-trivial-clipboard to 0.0.0-8.50b3d3a)
Index(es):
- Date
- Thread