--- Begin Message ---
Subject: |
security patching of 'patch' package |
Date: |
Sun, 14 Mar 2021 17:37:25 -0400 |
I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.
Mark
-------------------- Start of forwarded message --------------------
Subject: security patching of 'patch' package
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Wed, 10 Mar 2021 04:14:35 +0100
Hello!
I could find that the 'patch' package was vulnerable to numerous CVEs
that other distros like Debian have patched. Here's the list reported
by 'guix lint -c cve patch':
patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
2018-6952
Can I use latest commit from master to build 'patch' then graft
original package?
i.e. https://git.savannah.gnu.org/git/patch.git
There's not that many commits since last release, but lots of time:
https://git.savannah.gnu.org/cgit/patch.git/log/
Thank you,
Léo
signature.asc
Description: This is a digitally signed message part
-------------------- End of forwarded message --------------------
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#47144: security patching of 'patch' package |
Date: |
Mon, 24 Jun 2024 00:43:46 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Hi,
Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:
> * gnu/packages/base.scm (patch): Rename to...
> (patch/pinned): ... this. Hide package.
> (patch): New variable.
> * gnu/packages/commencement.scm (patch-mesboot): Inherit from patch/pinned.
> (patch-boot0): Likewise.
> (%final-inputs): Replace patch with patch/pinned.
> * gnu/packages/lisp.scm (cl-asdf): Likewise.
> * guix/packages.scm (%standard-patch-inputs): Replace patch with patch/pinned.
>
> Fixes: https://issues.guix.gnu.org/47144
> Reported-by: Mark H Weaver <mhw@netris.org>
> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873
Applied locally and will push shortly.
--
Thanks,
Maxim
--- End Message ---