03/03: gnu: bash: Remove graft for CVE-2017-5932.

[Ludovic Courtès]

civodul pushed a commit to branch core-updates
in repository guix.

commit 20c1b4b88d396b6261660e2fda03229094cce62d
Author: Ludovic Courtès <address@hidden>
Date:   Fri Feb 10 17:44:31 2017 +0100

    gnu: bash: Remove graft for CVE-2017-5932.
    
    * gnu/packages/bash.scm (bash)[replacement]: Remove.
    (bash-minimal)[replacement]: Remove.
    (url-fetch/reset-patch-level, bash/fixed): Remove.
---
 gnu/packages/bash.scm | 41 +----------------------------------------
 1 file changed, 1 insertion(+), 40 deletions(-)

diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm
index ec9f835..910da0b 100644
--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@@ -65,7 +65,7 @@
    (4 "1cy8abf96hkrjhw921ndr0shlcnc52bg45rn6xri4v5clhq0l25d")
    (5 "0a8515kyk4zsgmvlqvlganjfr7pq0j6kzpr4d6xx02kpbdr4n7i2")
    (6 "1f24wgqngmj2mrj9yibwvc2zvlmn5xi53mnw777g3l40c4m2x3ka")
-   (7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")
+   (7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y") ;CVE-2017-5932
    (8 "1firw915mjm03hbbw9a70ch3cpgrgnvqjpllgdnn6csr8q04f546")
    (9 "0g1l56kvw61rpw7dqa9fcl9llkl693h73g631hrhxlm030ddssqb")
    (10 "01lfhrkdsdkdz8ypzapr614ras23x7ckjnr60aa5bzkaqprccrc4")
@@ -110,7 +110,6 @@ number/base32-hash tuples, directly usable in the 
'patch-series' form."
          (version "4.4"))
     (package
      (name "bash")
-     (replacement bash/fixed)
      (source (origin
               (method url-fetch)
               (uri (string-append
@@ -204,7 +203,6 @@ without modification.")
   ;; A stripped-down Bash for non-interactive use.
   (package (inherit bash)
     (name "bash-minimal")
-    (replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion
     (inputs '())                                ; no readline, no curses
 
     ;; No "include" output because there's no support for loadable modules.
@@ -260,43 +258,6 @@ without modification.")
                    (delete-file-recursively (string-append out "/share"))
                    #t))))))))))
 
-(define* (url-fetch/reset-patch-level url hash-algo hash
-                                      #:optional name
-                                      #:key (system (%current-system)) guile)
-  "Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it
-can apply to a patch-level 0 Bash."
-  (mlet* %store-monad ((name -> (or name (basename url)))
-                       (patch (url-fetch url hash-algo hash
-                                         (string-append name ".orig")
-                                         #:system system
-                                         #:guile guile)))
-    (gexp->derivation name
-                      (with-imported-modules '((guix build utils))
-                        #~(begin
-                            (use-modules (guix build utils))
-                            (copy-file #$patch #$output)
-                            (substitute* #$output
-                              (("PATCHLEVEL [0-6]+")
-                               "PATCHLEVEL 0"))))
-                      #:guile-for-build guile
-                      #:system system)))
-
-(define bash/fixed                        ;CVE-2017-5932 (RCE with completion)
-  (package
-    (inherit bash)
-    (version "4.4.A")                             ;4.4.0 + patch #7
-    (replacement #f)
-    (source
-     (origin
-       (inherit (package-source bash))
-       (patches (cons (origin
-                        (method url-fetch/reset-patch-level)
-                        (uri (patch-url 7))
-                        (sha256
-                         (base32
-                          
"1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")))
-                      (origin-patches (package-source bash))))))))
-
 (define-public bash-completion
   (package
     (name "bash-completion")