GNU bug report logs -
#30827
[PATCH] gnu: util-linux: Fix CVE-2018-7738.
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Thu, 15 Mar 2018 18:00:02 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 30827 in the body.
You can then email your comments to 30827 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#30827; Package
guix-patches.
(Thu, 15 Mar 2018 18:00:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Thu, 15 Mar 2018 18:00:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/linux.scm (util-linux)[replacement]: New field.
(util-linux/fixed): New variable.
---
gnu/local.mk | 1 +
gnu/packages/linux.scm | 10 +++++
.../patches/util-linux-CVE-2018-7738.patch | 49 ++++++++++++++++++++++
3 files changed, 60 insertions(+)
create mode 100644 gnu/packages/patches/util-linux-CVE-2018-7738.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 69e4d2b7b..788b260e5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1135,6 +1135,7 @@ dist_patch_DATA = \
%D%/packages/patches/unzip-overflow-long-fsize.patch \
%D%/packages/patches/unzip-remove-build-date.patch \
%D%/packages/patches/ustr-fix-build-with-gcc-5.patch \
+ %D%/packages/patches/util-linux-CVE-2018-7738.patch \
%D%/packages/patches/util-linux-tests.patch \
%D%/packages/patches/upower-builddir.patch \
%D%/packages/patches/valgrind-enable-arm.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index b81cb55d6..0c7642201 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -547,6 +547,7 @@ providing the system administrator with some help in common tasks.")
(define-public util-linux
(package
(name "util-linux")
+ (replacement util-linux/fixed)
(version "2.31")
(source (origin
(method url-fetch)
@@ -634,6 +635,15 @@ block devices, UUIDs, TTYs, and many other tools.")
(license (list license:gpl3+ license:gpl2+ license:gpl2 license:lgpl2.0+
license:bsd-4 license:public-domain))))
+(define util-linux/fixed
+ (package
+ (inherit util-linux)
+ (source
+ (origin
+ (inherit (package-source util-linux))
+ (patches (append (origin-patches (package-source util-linux))
+ (search-patches "util-linux-CVE-2018-7738.patch")))))))
+
(define-public ddate
(package
(name "ddate")
diff --git a/gnu/packages/patches/util-linux-CVE-2018-7738.patch b/gnu/packages/patches/util-linux-CVE-2018-7738.patch
new file mode 100644
index 000000000..080e2f56b
--- /dev/null
+++ b/gnu/packages/patches/util-linux-CVE-2018-7738.patch
@@ -0,0 +1,49 @@
+Fix CVE-2018-7738:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738
+
+Patch copied from upstream source repository:
+
+https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55
+
+From 75f03badd7ed9f1dd951863d75e756883d3acc55 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak <at> redhat.com>
+Date: Thu, 16 Nov 2017 16:27:32 +0100
+Subject: [PATCH] bash-completion: (umount) use findmnt, escape a space in
+ paths
+
+ # mount /dev/sdc1 /mnt/test/foo\ bar
+ # umount <tab>
+
+has to return "/mnt/test/foo\ bar".
+
+Changes:
+
+ * don't use mount | awk output, we have findmnt
+ * force compgen use \n as entries separator
+
+Addresses: https://github.com/karelzak/util-linux/issues/539
+Signed-off-by: Karel Zak <kzak <at> redhat.com>
+---
+ bash-completion/umount | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/bash-completion/umount b/bash-completion/umount
+index d76cb9fff..98c90d61a 100644
+--- a/bash-completion/umount
++++ b/bash-completion/umount
+@@ -40,9 +40,10 @@ _umount_module()
+ return 0
+ ;;
+ esac
+- local DEVS_MPOINTS
+- DEVS_MPOINTS="$(mount | awk '{print $1, $3}')"
+- COMPREPLY=( $(compgen -W "$DEVS_MPOINTS" -- $cur) )
+- return 0
++
++ local oldifs=$IFS
++ IFS=$'\n'
++ COMPREPLY=( $( compgen -W '$(findmnt -lno TARGET | sed "s/\([[:blank:]]\)/\\\\\1/g")' -- "$cur" ) )
++ IFS=$oldifs
+ }
+ complete -F _umount_module umount
--
2.16.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#30827; Package
guix-patches.
(Fri, 16 Mar 2018 14:14:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 30827 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> * gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/linux.scm (util-linux)[replacement]: New field.
> (util-linux/fixed): New variable.
LGTM, thanks!
[signature.asc (application/pgp-signature, inline)]
bug closed, send any further explanations to
30827 <at> debbugs.gnu.org and Leo Famulari <leo <at> famulari.name>
Request was from
Leo Famulari <leo <at> famulari.name>
to
control <at> debbugs.gnu.org.
(Fri, 16 Mar 2018 14:34:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#30827; Package
guix-patches.
(Mon, 19 Mar 2018 09:16:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 30827 <at> debbugs.gnu.org (full text, mbox):
Hello!
Leo Famulari <leo <at> famulari.name> skribis:
> * gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/linux.scm (util-linux)[replacement]: New field.
> (util-linux/fixed): New variable.
[...]
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738
> +
> +Patch copied from upstream source repository:
> +
> +https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55
I’m late to the party, but I’m wondering in this case if, instead of
grafting, we should simply add an util-linux <at> 2.31a package, and make
sure GuixSD uses that one in %base-packages.
That way, both GuixSD and manually installed util-linux would get the
Bash completion fix. It’s probably OK that packages that depend on
util-linux don’t get the fixed version because users don’t get bash
completion from there.
WDYT?
Thanks,
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#30827; Package
guix-patches.
(Mon, 19 Mar 2018 20:53:01 GMT)
Full text and
rfc822 format available.
Message #16 received at 30827 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Mon, Mar 19, 2018 at 10:15:22AM +0100, Ludovic Courtès wrote:
> Hello!
>
> Leo Famulari <leo <at> famulari.name> skribis:
>
> > * gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/linux.scm (util-linux)[replacement]: New field.
> > (util-linux/fixed): New variable.
>
> [...]
>
> > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738
> > +
> > +Patch copied from upstream source repository:
> > +
> > +https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55
>
> I’m late to the party, but I’m wondering in this case if, instead of
> grafting, we should simply add an util-linux <at> 2.31a package, and make
> sure GuixSD uses that one in %base-packages.
>
> That way, both GuixSD and manually installed util-linux would get the
> Bash completion fix. It’s probably OK that packages that depend on
> util-linux don’t get the fixed version because users don’t get bash
> completion from there.
>
> WDYT?
That's a good idea. I'll test and push today.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#30827; Package
guix-patches.
(Mon, 19 Mar 2018 22:16:01 GMT)
Full text and
rfc822 format available.
Message #19 received at 30827 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Mon, Mar 19, 2018 at 10:15:22AM +0100, Ludovic Courtès wrote:
> I’m late to the party, but I’m wondering in this case if, instead of
> grafting, we should simply add an util-linux <at> 2.31a package, and make
> sure GuixSD uses that one in %base-packages.
>
> That way, both GuixSD and manually installed util-linux would get the
> Bash completion fix. It’s probably OK that packages that depend on
> util-linux don’t get the fixed version because users don’t get bash
> completion from there.
>
> WDYT?
What do you think of the attached patch?
[0001-gnu-util-linux-Fix-CVE-2018-7738-without-grafting.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#30827; Package
guix-patches.
(Tue, 20 Mar 2018 01:24:01 GMT)
Full text and
rfc822 format available.
Message #22 received at 30827 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> On Mon, Mar 19, 2018 at 10:15:22AM +0100, Ludovic Courtès wrote:
>> I’m late to the party, but I’m wondering in this case if, instead of
>> grafting, we should simply add an util-linux <at> 2.31a package, and make
>> sure GuixSD uses that one in %base-packages.
>>
>> That way, both GuixSD and manually installed util-linux would get the
>> Bash completion fix. It’s probably OK that packages that depend on
>> util-linux don’t get the fixed version because users don’t get bash
>> completion from there.
>>
>> WDYT?
>
> What do you think of the attached patch?
> From c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo <at> famulari.name>
> Date: Mon, 19 Mar 2018 17:13:26 -0400
> Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting.
>
> * gnu/packages/linux.scm (util-linux)[replacement]: Remove field.
> (util-linux-2.31.1): New variable.
> * gnu/system.scm (%base-packages): Use util-linux-2.31.1.
[...]
> -(define util-linux/fixed
> +;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in
> +;; the Bash completions for `mount`. Since this bug doesn't affect
> +;; other programs that link against libraries from util-linux, we don't
> +;; need to use a graft to make the fix available. Instead, users
> +;; installing util-linux will get the fix in this newer version, and
> +;; (@ (gnu system) %base-packages) takes care to use this package.
> +;; This solution was suggested here:
> +;; <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30827#13>
> +(define-public util-linux-2.31.1
> (package
> (inherit util-linux)
> - (source
> - (origin
> - (inherit (package-source util-linux))
> - (patches (append (origin-patches (package-source util-linux))
> - (search-patches "util-linux-CVE-2018-7738.patch")))))))
> + (name "util-linux")
> + ;; XXX Don't update this without also updating %base-packages!
> + (version "2.31.1")
> + (source (origin
> + (method url-fetch)
> + (uri (string-append "mirror://kernel.org/linux/utils/"
> + name "/v" (version-major+minor version) "/"
> + name "-" version ".tar.xz"))
> + (sha256
> + (base32
> + "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s"))
> + (patches (search-patches "util-linux-tests.patch"
> + "util-linux-CVE-2018-7738.patch"))
> + (modules '((guix build utils)))
> + (snippet
> + ;; We take the 'logger' program from GNU Inetutils and 'kill'
> + ;; from GNU Coreutils.
> + '(begin
> + (substitute* "configure"
> + (("build_logger=yes") "build_logger=no")
> + (("build_kill=yes") "build_kill=no"))
> + #t))))))
You can keep (inherit (package-source ...)) here to avoid duplicating
snippet, modules and method. Apart from that LGTM.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#30827; Package
guix-patches.
(Tue, 20 Mar 2018 08:48:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 30827 <at> debbugs.gnu.org (full text, mbox):
Hi,
Marius Bakke <mbakke <at> fastmail.com> skribis:
> Leo Famulari <leo <at> famulari.name> writes:
[...]
>> From c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001
>> From: Leo Famulari <leo <at> famulari.name>
>> Date: Mon, 19 Mar 2018 17:13:26 -0400
>> Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting.
>>
>> * gnu/packages/linux.scm (util-linux)[replacement]: Remove field.
>> (util-linux-2.31.1): New variable.
>> * gnu/system.scm (%base-packages): Use util-linux-2.31.1.
>
> [...]
>
>> -(define util-linux/fixed
>> +;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in
>> +;; the Bash completions for `mount`. Since this bug doesn't affect
>> +;; other programs that link against libraries from util-linux, we don't
>> +;; need to use a graft to make the fix available. Instead, users
>> +;; installing util-linux will get the fix in this newer version, and
>> +;; (@ (gnu system) %base-packages) takes care to use this package.
>> +;; This solution was suggested here:
>> +;; <https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30827#13>
>> +(define-public util-linux-2.31.1
>> (package
>> (inherit util-linux)
>> - (source
>> - (origin
>> - (inherit (package-source util-linux))
>> - (patches (append (origin-patches (package-source util-linux))
>> - (search-patches "util-linux-CVE-2018-7738.patch")))))))
>> + (name "util-linux")
>> + ;; XXX Don't update this without also updating %base-packages!
>> + (version "2.31.1")
>> + (source (origin
>> + (method url-fetch)
>> + (uri (string-append "mirror://kernel.org/linux/utils/"
>> + name "/v" (version-major+minor version) "/"
>> + name "-" version ".tar.xz"))
>> + (sha256
>> + (base32
>> + "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s"))
>> + (patches (search-patches "util-linux-tests.patch"
>> + "util-linux-CVE-2018-7738.patch"))
>> + (modules '((guix build utils)))
>> + (snippet
>> + ;; We take the 'logger' program from GNU Inetutils and 'kill'
>> + ;; from GNU Coreutils.
>> + '(begin
>> + (substitute* "configure"
>> + (("build_logger=yes") "build_logger=no")
>> + (("build_kill=yes") "build_kill=no"))
>> + #t))))))
>
> You can keep (inherit (package-source ...)) here to avoid duplicating
> snippet, modules and method. Apart from that LGTM.
Agreed.
Thank you!
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#30827; Package
guix-patches.
(Tue, 20 Mar 2018 21:18:01 GMT)
Full text and
rfc822 format available.
Message #28 received at 30827-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, Mar 20, 2018 at 09:47:02AM +0100, Ludovic Courtès wrote:
> Marius Bakke <mbakke <at> fastmail.com> skribis:
> > You can keep (inherit (package-source ...)) here to avoid duplicating
> > snippet, modules and method. Apart from that LGTM.
>
> Agreed.
>
> Thank you!
Thanks, pushed as af23710ff522bb4e6cedf841c4fb977d96c9d8b3
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 18 Apr 2018 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 147 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.