Browse Source

Merge branch 'bash-cve-2014-6271'

gn-latest-20200428
Ludovic Courtès 6 years ago
parent
commit
b5c5d763ca
4 changed files with 95 additions and 11 deletions
  1. +78
    -5
      gnu/packages/bash.scm
  2. +9
    -2
      gnu/packages/bootstrap.scm
  3. +2
    -2
      guix/gnupg.scm
  4. +6
    -2
      guix/packages.scm

+ 78
- 5
gnu/packages/bash.scm View File

@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2012, 2013 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2012, 2013, 2014 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -23,7 +23,76 @@
#:use-module (guix packages)
#:use-module (guix download)
#:use-module (guix utils)
#:use-module (guix build-system gnu))
#:use-module (guix build-system gnu)
#:autoload (guix gnupg) (gnupg-verify*)
#:autoload (guix hash) (port-sha256)
#:autoload (guix base32) (bytevector->nix-base32-string)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-26)
#:use-module (ice-9 format))

(define (patch-url seqno)
"Return the URL of Bash patch number SEQNO."
(format #f "mirror://gnu/bash/bash-4.3-patches/bash43-~3,'0d" seqno))

(define (bash-patch seqno sha256)
"Return the origin of Bash patch SEQNO, with expected hash SHA256"
(origin
(method url-fetch)
(uri (patch-url seqno))
(sha256 sha256)))

(define-syntax-rule (patch-series (seqno hash) ...)
(list (bash-patch seqno (base32 hash))
...))

(define %patch-series-4.3
;; This is the current patches series for 4.3, generated using
;; 'download-patches' below.
(patch-series
(1 "0hip2n2s5hws8p4nfcz37379zn6cak83ljsm64z52rw6ckrdzczc")
(2 "0ashj5d1g3zbyr7zf0r72s5wnk96cz1xj919y3jajadbc9qcvrzf")
(3 "0z88q4daq7dmw93iqd9c5i5d1sndklih3nrh0v75746da2n6w3h0")
(4 "0f0kh9j5k4ym6knshscx31przm50x5cc7ifkwqk0swh6clna982y")
(5 "1ym3b8b7lgmdp3dklp8qaqhyq965wd5392namq8mz7rb0d231j0s")
(6 "04q20igq49py49ynb0f83f6f52cdkyqwd9bpic6akr0m5pkqwr50")
(7 "18zkz23d9myshrwfcwcdjk7qmkqp8az5n91ni9jaixlwqlhy64qi")
(8 "0pprcwvh7ngdli0x95pc1cpssg4qg7layi9xrv2jq6c7965ajhcr")
(9 "19a0pf0alp30d1bjj0zf3zq2f5n0s6y91w7brm9jyswl51kns8n0")
(10 "1dzhr5ammyijisz48cqi5vaw26hfr5vh9smnqxq4qc9p06f7j1ff")
(11 "0fvzdzzi142a8rf3v965r6gbpn0k7fv2gif1yq8a4160vcn40qvw")
(12 "04lcgfcyz7p3zagb4hkia3hkpd7lii9m8ycy9qqwzyrm1c1pj4ry")
(13 "0y9cqi378z6flapkd5k5lfl4lq3ivzg4njj3i3wmw7xb6r9wma5z")
(14 "04xcb0k9fxxq4vashgzb98567xzdnm4655nlm4jvfvjv6si6ykas")
(15 "13ay6lldy1p00xj41nfjpq8lai3vw2qwca79gx6s80z04j53wa8k")
(16 "0wq7bvx3pfw90pnfb86yg5nr9jgjsvm2nq5rrkqxf6zn977hpmlj")
(17 "103p7sibihv6cshqj12k546zsbz0dnd5cv5vlx1719avddfc4rqj")
(18 "0n1x3812y1brb9xbabaj3fvr4cpvm2225iwckmqk2fcpkq5b9a3s")
(19 "08rd1p7zpzgbpmmmnj2im8wj2pcwmbbx51psr9vdc5c049si9ad7")
(20 "163c6g05qpag2plx5q795pmw3f3m904jy7z93xj2i08pgzc8cpna")
(21 "1a90cl3h10dh8k9f2ddrsjmw5ywaw2d5x78xb4fd2sryi039yhs1")
(22 "120s0s4qcqd0q12j1iv0hkpf9fp3w5jnqw646kv66n66jnxlfkgx")
(23 "1m00sfi88p2akgiyrg4hw0gvz3s1586pkzjdr3dm73vs773m1hls")
(24 "0v0gjqzjsqjfgj5x17fq7g649k94jn8zq92qsxkhc2d6l215hl1v")
(25 "0lcj96i659q35f1jcmwwbnw3p7w7vvlxjxqi989vn6d6qksqcl8y"))) ;CVE-2014-6271

(define (download-patches store count)
"Download COUNT Bash patches into store. Return a list of
number/base32-hash tuples, directly usable in the 'patch-series' form."
(unfold (cut > <> count)
(lambda (number)
(let* ((patch (download-to-store store (patch-url number)))
(sig (download-to-store store
(string-append (patch-url number)
".sig"))))
(unless (gnupg-verify* sig patch)
(error "failed to verify signature" patch))

(list number
(bytevector->nix-base32-string
(call-with-input-file patch port-sha256)))))
1+
1))

(define-public bash
(let* ((cppflags (string-join '("-DSYS_BASHRC='\"/etc/bashrc\"'"
@@ -48,17 +117,21 @@
;; Add a `bash' -> `sh' link.
(let ((out (assoc-ref outputs "out")))
(with-directory-excursion (string-append out "/bin")
(symlink "bash" "sh"))))))
(symlink "bash" "sh")))))
(version "4.3"))
(package
(name "bash")
(version "4.3")
(source (origin
(method url-fetch)
(uri (string-append
"mirror://gnu/bash/bash-" version ".tar.gz"))
(sha256
(base32
"1m14s1f61mf6bijfibcjm9y6pkyvz6gibyl8p4hxq90fisi8gimg"))))
"1m14s1f61mf6bijfibcjm9y6pkyvz6gibyl8p4hxq90fisi8gimg"))
(patch-flags '("-p0"))
(patches %patch-series-4.3)))
(version (string-append version "."
(number->string (length %patch-series-4.3))))
(build-system gnu-build-system)
(inputs `(("readline" ,readline)
("ncurses" ,ncurses))) ; TODO: add texinfo


+ 9
- 2
gnu/packages/bootstrap.scm View File

@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2012, 2013 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2012, 2013, 2014 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -78,7 +78,14 @@
(boot url-fetch))
(else orig-method)))
(patch-guile %bootstrap-guile)
(patch-inputs %bootstrap-patch-inputs))))
(patch-inputs %bootstrap-patch-inputs)

;; Patches can be origins as well, so process them.
(patches (map (match-lambda
((? origin? patch)
(bootstrap-origin patch))
(patch patch))
(origin-patches source))))))

(define (package-from-tarball name source program-to-test description)
"Return a package that correspond to the extraction of SOURCE.


+ 2
- 2
guix/gnupg.scm View File

@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2010, 2011, 2013 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2010, 2011, 2013, 2014 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
;;;
;;; This file is part of GNU Guix.
@@ -54,7 +54,7 @@
;; See file `doc/DETAILS' in GnuPG.
(define sigid-rx
(make-regexp
"^\\[GNUPG:\\] SIG_ID ([A-Za-z0-9/]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+)"))
"^\\[GNUPG:\\] SIG_ID ([A-Za-z0-9+/]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+)"))
(define goodsig-rx
(make-regexp "^\\[GNUPG:\\] GOODSIG ([[:xdigit:]]+) (.+)$"))
(define validsig-rx


+ 6
- 2
guix/packages.scm View File

@@ -345,8 +345,12 @@ IMPORTED-MODULES specify modules to use/import for use by SNIPPET."
(define patch-inputs
(map (lambda (number patch)
(list (string-append "patch" (number->string number))
(add-to-store store (basename patch) #t
"sha256" patch)))
(match patch
((? string?)
(add-to-store store (basename patch) #t
"sha256" patch))
((? origin?)
(package-source-derivation store patch)))))
(iota (length patches))

patches))


Loading…
Cancel
Save