[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: gnu: util-linux: Fix CVE-2018-7738 without grafting.
From: |
Leo Famulari |
Subject: |
01/01: gnu: util-linux: Fix CVE-2018-7738 without grafting. |
Date: |
Tue, 20 Mar 2018 17:15:19 -0400 (EDT) |
lfam pushed a commit to branch master
in repository guix.
commit af23710ff522bb4e6cedf841c4fb977d96c9d8b3
Author: Leo Famulari <address@hidden>
Date: Mon Mar 19 17:13:26 2018 -0400
gnu: util-linux: Fix CVE-2018-7738 without grafting.
* gnu/packages/linux.scm (util-linux)[replacement]: Remove field.
(util-linux-2.31.1): New variable.
* gnu/system.scm (%base-packages): Use util-linux-2.31.1.
---
gnu/packages/linux.scm | 34 +++++++++++++++++++++++++---------
gnu/system.scm | 4 +++-
2 files changed, 28 insertions(+), 10 deletions(-)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 6dc45bf..dc9dfbb 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -18,8 +18,8 @@
;;; Copyright © 2016, 2017, 2018 Marius Bakke <address@hidden>
;;; Copyright © 2016 Rene Saavedra <address@hidden>
;;; Copyright © 2016 Carlos Sánchez de La Lama <address@hidden>
-;;; Copyright © 2016, 2017 Nils Gillmann <address@hidden>
-;;; Copyright © 2017 Leo Famulari <address@hidden>
+;;; Copyright © 2016, 2017 ng0 <address@hidden>
+;;; Copyright © 2017, 2018 Leo Famulari <address@hidden>
;;; Copyright © 2017 José Miguel Sánchez García <address@hidden>
;;; Copyright © 2017 Gábor Boskovits <address@hidden>
;;; Copyright © 2017 Mathieu Othacehe <address@hidden>
@@ -547,7 +547,6 @@ providing the system administrator with some help in common
tasks.")
(define-public util-linux
(package
(name "util-linux")
- (replacement util-linux/fixed)
(version "2.31")
(source (origin
(method url-fetch)
@@ -635,14 +634,31 @@ block devices, UUIDs, TTYs, and many other tools.")
(license (list license:gpl3+ license:gpl2+ license:gpl2 license:lgpl2.0+
license:bsd-4 license:public-domain))))
-(define util-linux/fixed
+;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in
+;; the Bash completions for `mount`. Since this bug doesn't affect
+;; other programs that link against libraries from util-linux, we don't
+;; need to use a graft to make the fix available. Instead, users
+;; installing util-linux will get the fix in this newer version, and
+;; (@ (gnu system) %base-packages) takes care to use this package.
+;; This solution was suggested here:
+;; <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30827#13>
+(define-public util-linux-2.31.1
(package
(inherit util-linux)
- (source
- (origin
- (inherit (package-source util-linux))
- (patches (append (origin-patches (package-source util-linux))
- (search-patches
"util-linux-CVE-2018-7738.patch")))))))
+ (name "util-linux")
+ ;; XXX Don't update this without also updating %base-packages!
+ (version "2.31.1")
+ (source (origin
+ (inherit (package-source util-linux))
+ (uri (string-append "mirror://kernel.org/linux/utils/"
+ name "/v" (version-major+minor version) "/"
+ name "-" version ".tar.xz"))
+ (sha256
+ (base32
+ "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s"))
+ (patches
+ (append (origin-patches (package-source util-linux))
+ (search-patches "util-linux-CVE-2018-7738.patch")))))))
(define-public ddate
(package
diff --git a/gnu/system.scm b/gnu/system.scm
index eb4b63c..592a0ea 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -515,7 +515,9 @@ explicitly appear in OS."
;; required for basic administrator tasks.
(cons* procps psmisc which less zile nano
pciutils usbutils
- util-linux inetutils isc-dhcp
+ ;; temporary package to fix CVE-2018-7738 without a graft
+ util-linux-2.31.1
+ inetutils isc-dhcp
(@ (gnu packages admin) shadow) ;for 'passwd'
;; wireless-tools is deprecated in favor of iw, but it's still what