[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
03/03: gnu: bash: Remove graft for CVE-2017-5932.
From: |
Ludovic Courtès |
Subject: |
03/03: gnu: bash: Remove graft for CVE-2017-5932. |
Date: |
Fri, 10 Feb 2017 12:08:13 -0500 (EST) |
civodul pushed a commit to branch core-updates
in repository guix.
commit 20c1b4b88d396b6261660e2fda03229094cce62d
Author: Ludovic Courtès <address@hidden>
Date: Fri Feb 10 17:44:31 2017 +0100
gnu: bash: Remove graft for CVE-2017-5932.
* gnu/packages/bash.scm (bash)[replacement]: Remove.
(bash-minimal)[replacement]: Remove.
(url-fetch/reset-patch-level, bash/fixed): Remove.
---
gnu/packages/bash.scm | 41 +----------------------------------------
1 file changed, 1 insertion(+), 40 deletions(-)
diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm
index ec9f835..910da0b 100644
--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@@ -65,7 +65,7 @@
(4 "1cy8abf96hkrjhw921ndr0shlcnc52bg45rn6xri4v5clhq0l25d")
(5 "0a8515kyk4zsgmvlqvlganjfr7pq0j6kzpr4d6xx02kpbdr4n7i2")
(6 "1f24wgqngmj2mrj9yibwvc2zvlmn5xi53mnw777g3l40c4m2x3ka")
- (7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")
+ (7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y") ;CVE-2017-5932
(8 "1firw915mjm03hbbw9a70ch3cpgrgnvqjpllgdnn6csr8q04f546")
(9 "0g1l56kvw61rpw7dqa9fcl9llkl693h73g631hrhxlm030ddssqb")
(10 "01lfhrkdsdkdz8ypzapr614ras23x7ckjnr60aa5bzkaqprccrc4")
@@ -110,7 +110,6 @@ number/base32-hash tuples, directly usable in the
'patch-series' form."
(version "4.4"))
(package
(name "bash")
- (replacement bash/fixed)
(source (origin
(method url-fetch)
(uri (string-append
@@ -204,7 +203,6 @@ without modification.")
;; A stripped-down Bash for non-interactive use.
(package (inherit bash)
(name "bash-minimal")
- (replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion
(inputs '()) ; no readline, no curses
;; No "include" output because there's no support for loadable modules.
@@ -260,43 +258,6 @@ without modification.")
(delete-file-recursively (string-append out "/share"))
#t))))))))))
-(define* (url-fetch/reset-patch-level url hash-algo hash
- #:optional name
- #:key (system (%current-system)) guile)
- "Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it
-can apply to a patch-level 0 Bash."
- (mlet* %store-monad ((name -> (or name (basename url)))
- (patch (url-fetch url hash-algo hash
- (string-append name ".orig")
- #:system system
- #:guile guile)))
- (gexp->derivation name
- (with-imported-modules '((guix build utils))
- #~(begin
- (use-modules (guix build utils))
- (copy-file #$patch #$output)
- (substitute* #$output
- (("PATCHLEVEL [0-6]+")
- "PATCHLEVEL 0"))))
- #:guile-for-build guile
- #:system system)))
-
-(define bash/fixed ;CVE-2017-5932 (RCE with completion)
- (package
- (inherit bash)
- (version "4.4.A") ;4.4.0 + patch #7
- (replacement #f)
- (source
- (origin
- (inherit (package-source bash))
- (patches (cons (origin
- (method url-fetch/reset-patch-level)
- (uri (patch-url 7))
- (sha256
- (base32
-
"1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")))
- (origin-patches (package-source bash))))))))
-
(define-public bash-completion
(package
(name "bash-completion")