From unknown Wed Sep 10 12:32:50 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#30827 <30827@debbugs.gnu.org> To: bug#30827 <30827@debbugs.gnu.org> Subject: Status: [PATCH] gnu: util-linux: Fix CVE-2018-7738. Reply-To: bug#30827 <30827@debbugs.gnu.org> Date: Wed, 10 Sep 2025 19:32:50 +0000 retitle 30827 [PATCH] gnu: util-linux: Fix CVE-2018-7738. reassign 30827 guix-patches submitter 30827 Leo Famulari severity 30827 normal tag 30827 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 15 13:59:06 2018 Received: (at submit) by debbugs.gnu.org; 15 Mar 2018 17:59:07 +0000 Received: from localhost ([127.0.0.1]:35381 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ewX9b-00046a-GW for submit@debbugs.gnu.org; Thu, 15 Mar 2018 13:59:06 -0400 Received: from eggs.gnu.org ([208.118.235.92]:45274) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ewX9X-000465-QI for submit@debbugs.gnu.org; Thu, 15 Mar 2018 13:59:02 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ewX9R-0002ST-EF for submit@debbugs.gnu.org; Thu, 15 Mar 2018 13:58:54 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:36175) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ewX9R-0002SD-AW for submit@debbugs.gnu.org; Thu, 15 Mar 2018 13:58:53 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36237) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ewX9P-00032M-JN for guix-patches@gnu.org; Thu, 15 Mar 2018 13:58:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ewX9L-0002Nd-8a for guix-patches@gnu.org; Thu, 15 Mar 2018 13:58:51 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:56311) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ewX9L-0002N6-2a for guix-patches@gnu.org; Thu, 15 Mar 2018 13:58:47 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 50F7E21254; Thu, 15 Mar 2018 13:58:46 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Thu, 15 Mar 2018 13:58:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=mesmtp; bh=jxHuPzEWTwQq+9oEb7UW45jgkLsl01k4dr0VkP 2d7Wg=; b=q2HFIQzmMOL+dzbjGn9npmBxkdcezjUP1nUt2FqbOC/MA4BNtTiVMC xAYXvmHOppk8w+NzFC70T3xo21hIG96QDldopasyvy+9Zfdt2Sb5UeWV+POd1AUq 3aF66A58U8znhMsWcOKhxNUg8RJpDBz4kxKT8ubMw9DQszljeUcY4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=jxHuPzEWTwQq+9oEb 7UW45jgkLsl01k4dr0VkP2d7Wg=; b=Pm/7vJ1OJNhQAVOBjFlP+pSI51M29DcEs 0t3uKM4icYADYfdvKE238q1S/MrgkgMzQUJBFQmD69vMhXJ2FApsBmRfk2E6f8mw l1NaXEtDBl1FxyysKyzSjV0hRSn/fNluL8Z63dD6VSlt86MwDWM1coU5gng43F6P XiHuPz3aSSLAtPnkAyaMjT1z5nz3dTcSoAYKj8oCsRdOTNyzUeriu6A7Jk/hoYBe zpqpvXpytYWg65IEyABfDTwe8KRbC21ZqieH3d+/MYB8yqkJXZns8iEQ6pmJvB6t JpDHcwwxoPL+EZwmpDZ/tdp81+YOax9Z0IZcX21A5jvsTgG1iCSoQ== X-ME-Sender: Received: from jasmine.lan (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id E6DB87E184 for ; Thu, 15 Mar 2018 13:58:45 -0400 (EDT) From: Leo Famulari To: guix-patches@gnu.org Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738. Date: Thu, 15 Mar 2018 13:58:42 -0400 Message-Id: X-Mailer: git-send-email 2.16.2 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) * gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/linux.scm (util-linux)[replacement]: New field. (util-linux/fixed): New variable. --- gnu/local.mk | 1 + gnu/packages/linux.scm | 10 +++++ .../patches/util-linux-CVE-2018-7738.patch | 49 ++++++++++++++++++++++ 3 files changed, 60 insertions(+) create mode 100644 gnu/packages/patches/util-linux-CVE-2018-7738.patch diff --git a/gnu/local.mk b/gnu/local.mk index 69e4d2b7b..788b260e5 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1135,6 +1135,7 @@ dist_patch_DATA = \ %D%/packages/patches/unzip-overflow-long-fsize.patch \ %D%/packages/patches/unzip-remove-build-date.patch \ %D%/packages/patches/ustr-fix-build-with-gcc-5.patch \ + %D%/packages/patches/util-linux-CVE-2018-7738.patch \ %D%/packages/patches/util-linux-tests.patch \ %D%/packages/patches/upower-builddir.patch \ %D%/packages/patches/valgrind-enable-arm.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index b81cb55d6..0c7642201 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -547,6 +547,7 @@ providing the system administrator with some help in common tasks.") (define-public util-linux (package (name "util-linux") + (replacement util-linux/fixed) (version "2.31") (source (origin (method url-fetch) @@ -634,6 +635,15 @@ block devices, UUIDs, TTYs, and many other tools.") (license (list license:gpl3+ license:gpl2+ license:gpl2 license:lgpl2.0+ license:bsd-4 license:public-domain)))) +(define util-linux/fixed + (package + (inherit util-linux) + (source + (origin + (inherit (package-source util-linux)) + (patches (append (origin-patches (package-source util-linux)) + (search-patches "util-linux-CVE-2018-7738.patch"))))))) + (define-public ddate (package (name "ddate") diff --git a/gnu/packages/patches/util-linux-CVE-2018-7738.patch b/gnu/packages/patches/util-linux-CVE-2018-7738.patch new file mode 100644 index 000000000..080e2f56b --- /dev/null +++ b/gnu/packages/patches/util-linux-CVE-2018-7738.patch @@ -0,0 +1,49 @@ +Fix CVE-2018-7738: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738 + +Patch copied from upstream source repository: + +https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55 + +From 75f03badd7ed9f1dd951863d75e756883d3acc55 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Thu, 16 Nov 2017 16:27:32 +0100 +Subject: [PATCH] bash-completion: (umount) use findmnt, escape a space in + paths + + # mount /dev/sdc1 /mnt/test/foo\ bar + # umount + +has to return "/mnt/test/foo\ bar". + +Changes: + + * don't use mount | awk output, we have findmnt + * force compgen use \n as entries separator + +Addresses: https://github.com/karelzak/util-linux/issues/539 +Signed-off-by: Karel Zak +--- + bash-completion/umount | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/bash-completion/umount b/bash-completion/umount +index d76cb9fff..98c90d61a 100644 +--- a/bash-completion/umount ++++ b/bash-completion/umount +@@ -40,9 +40,10 @@ _umount_module() + return 0 + ;; + esac +- local DEVS_MPOINTS +- DEVS_MPOINTS="$(mount | awk '{print $1, $3}')" +- COMPREPLY=( $(compgen -W "$DEVS_MPOINTS" -- $cur) ) +- return 0 ++ ++ local oldifs=$IFS ++ IFS=$'\n' ++ COMPREPLY=( $( compgen -W '$(findmnt -lno TARGET | sed "s/\([[:blank:]]\)/\\\\\1/g")' -- "$cur" ) ) ++ IFS=$oldifs + } + complete -F _umount_module umount -- 2.16.2 From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 16 10:13:45 2018 Received: (at 30827) by debbugs.gnu.org; 16 Mar 2018 14:13:45 +0000 Received: from localhost ([127.0.0.1]:36994 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ewq77-00059d-Ik for submit@debbugs.gnu.org; Fri, 16 Mar 2018 10:13:45 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:55515) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ewq72-00059S-A9 for 30827@debbugs.gnu.org; Fri, 16 Mar 2018 10:13:43 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 3204420A8E; Fri, 16 Mar 2018 10:13:40 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Fri, 16 Mar 2018 10:13:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=jwZM72eBGQa98SXnJXVNXj5fRyXCNJYt1M4VDX0UGN8=; b=IQhyeaDg nq/BVrCqYfV75OQ4Bxdt85sNWz3sFof+XyrVnMj9/k4ZqTjGnkyka4XtO1HptZKl nQeW9vQe2cYU+OH1maTS65XihefxpY1P+pg16xIIXfxRqlIXAWaP6wCgmHR7nOHt yLqOmXIHe1xu5P+VS8YAKoyAR26XP+W/jqYK+Auxumg6naRl/GPwkPQt0bwboPzL RwNLW9DcwWl9uvu+VpIsj7mMOKRi3a7c3fUYRSJnCXhospoGPCbz7ueMa3pXCMtz 0FXS6NkVbId/98uK6dl4Nt+Z7s2fKe4T8Xh2emnr3FpCVEaYs0i28qyO1tVAyK55 JcXbgQ6iHaYcww== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=jwZM72eBGQa98SXnJXVNXj5fRyXCN JYt1M4VDX0UGN8=; b=FHfHCl4QdJCv6JJCVyHLwL00+ZegSZjLBFuEPN9oIX9Zn uGmGgfJzgVID/ihoHx6E57/fNCJ/S5LVg6xKfDhRktWBnmCMr0izQ1e6MwWdiMPN +PVbNrB3Ml1GvvkpAZ9S6FpnVDg8dun0rSvW8m4a2CAqmOC9Agp/3UQZdhgq0KQU G45nMuwPXyH+cnL7pRURrtdtgFTL9Zb6Uj/L/bh+DKIfXOo+V0Y6bZEcOr33f0vQ XzRR9mYcj6+U7Ro/YjSJ0gavA6eiktxgNC+CWhbI/q9MwSWCz5TuNssInluxN8S3 ydiFNiTlEwl19k0pWaSqL3zoabMCuGyyoOV4S/naA== X-ME-Sender: Received: from localhost (ti0019a400-2817.bb.online.no [88.90.102.17]) by mail.messagingengine.com (Postfix) with ESMTPA id A5DBC240F8; Fri, 16 Mar 2018 10:13:39 -0400 (EDT) From: Marius Bakke To: Leo Famulari , 30827@debbugs.gnu.org Subject: Re: [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738. In-Reply-To: References: User-Agent: Notmuch/0.26 (https://notmuchmail.org) Emacs/25.3.1 (x86_64-pc-linux-gnu) Date: Fri, 16 Mar 2018 15:13:38 +0100 Message-ID: <87po44az1p.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30827 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain Leo Famulari writes: > * gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/linux.scm (util-linux)[replacement]: New field. > (util-linux/fixed): New variable. LGTM, thanks! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlqr0RIACgkQoqBt8qM6 VPp/Uwf/Uv5Kpw7GVmmT6vtf6tqQTJ4k2RrJTQJtVm34QRuR6kzOe0ftlppyWaju dBJhmVEwkyXecNnAMQzKtrENeQXDhMIhL8iXNxttx6CgUUMSqPgpP0Z0CAvqgKsI agqRdxfjklnrY7Nlag4BsDtrdxEoB3L9ZkSGrc7L2a2RjYCNYyWF12Brcq3mX/K2 SqwegzMaufWHmpvA5s2uW5cgM6E6Bdlhv8aNVSM0d8LiEE8Vplt4UcJ2oO/fADtf mHGAZN7VzWdpQu16pR2LXJhcgBhndYvPaQi9JyBi1sMxFYNi2rbeSYKnNq5y5AdP BU/S1Fxjv3FCNNIbysoi/5f6FwXB1w== =AAeB -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 16 10:33:45 2018 Received: (at control) by debbugs.gnu.org; 16 Mar 2018 14:33:45 +0000 Received: from localhost ([127.0.0.1]:37030 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ewqQS-0005h8-Rl for submit@debbugs.gnu.org; Fri, 16 Mar 2018 10:33:45 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:43783) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ewqQR-0005h0-Mf for control@debbugs.gnu.org; Fri, 16 Mar 2018 10:33:43 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 8F3BC20BB9; Fri, 16 Mar 2018 10:33:43 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Fri, 16 Mar 2018 10:33:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:message-id:mime-version:to:x-me-sender :x-me-sender:x-sasl-enc; s=mesmtp; bh=TBN5TqoH44h54+ZiqztGwMW/6i 7VPkJW7B2FZP+RQz4=; b=ocCNFiHOUOy5Dv5kVnLf/pTIFxBYijX9BOCRQjFchN mBt3/WGzLUrVnTIFw3Yoil3LNzbTqULbZ2YSTaQN9+Tlnn7jNV05Hfvl6VdoAtB4 ZoH7NJUCuy63tLr9vuo0eaM0+EgcA9+uDeNmGBXuiFynQm9P5gIH4AHCmGeXn+5O 4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=T BN5TqoH44h54+ZiqztGwMW/6i7VPkJW7B2FZP+RQz4=; b=HXMMDkMuWklFoahzn G4Y865pGu9UsyvlzHPtbjL85aSSwvmV34dYJF7q3k91K+FOQBIbuUFPGDY8oETMX kBtShceQ73p57anSxFdIMF5wZ/BYf1FAoF+loi/CNNT9PBKtTfVzO9pykQweyX8J dk7R6uzh5l/n8mElDGc3HU721Jzv6+ZwfRpK3YDWqR5gPzaAGixTf0+CM8bThYQR CSFYLPurhhtiXznXQVGI0xFqaCVAWr56l14UEFJjC5oQqTInEepSQVuX3GuZUZBd aJQWdC3TOAYTyc/hxckHGqyXbu8deNZqIrFj4v5ID1pUwYetVh383hrZeXsmQ3p+ kCWZQ== X-ME-Sender: Received: from localhost (unknown [172.58.201.111]) by mail.messagingengine.com (Postfix) with ESMTPA id 2E9AB7E1FF for ; Fri, 16 Mar 2018 10:33:43 -0400 (EDT) Date: Fri, 16 Mar 2018 10:33:41 -0400 From: Leo Famulari To: control@debbugs.gnu.org Message-ID: <20180316143341.GA11689@jasmine.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.9.3 (2018-01-21) X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: close 30827 [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [66.111.4.29 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [66.111.4.29 listed in wl.mailspike.net] 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: close 30827 [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [66.111.4.29 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [66.111.4.29 listed in wl.mailspike.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid 0.0 TVD_SPACE_RATIO No description available. 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject close 30827 From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 19 05:15:30 2018 Received: (at 30827) by debbugs.gnu.org; 19 Mar 2018 09:15:31 +0000 Received: from localhost ([127.0.0.1]:40755 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1exqt8-00018a-MD for submit@debbugs.gnu.org; Mon, 19 Mar 2018 05:15:30 -0400 Received: from hera.aquilenet.fr ([185.233.100.1]:60418) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1exqt3-00018L-Ci for 30827@debbugs.gnu.org; Mon, 19 Mar 2018 05:15:29 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 433C712336; Mon, 19 Mar 2018 10:15:24 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZNjnIn3jgaZ0; Mon, 19 Mar 2018 10:15:23 +0100 (CET) Received: from ribbon (unknown [193.50.110.92]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 0182712328; Mon, 19 Mar 2018 10:15:22 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738. References: X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 29 =?utf-8?Q?Vent=C3=B4se?= an 226 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 19 Mar 2018 10:15:22 +0100 In-Reply-To: (Leo Famulari's message of "Thu, 15 Mar 2018 13:58:42 -0400") Message-ID: <871sggv32t.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 30827 Cc: 30827@debbugs.gnu.org, Marius Bakke X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Hello! Leo Famulari skribis: > * gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/linux.scm (util-linux)[replacement]: New field. > (util-linux/fixed): New variable. [...] > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-7738 > + > +Patch copied from upstream source repository: > + > +https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75= e756883d3acc55 I=E2=80=99m late to the party, but I=E2=80=99m wondering in this case if, i= nstead of grafting, we should simply add an util-linux@2.31a package, and make sure GuixSD uses that one in %base-packages. That way, both GuixSD and manually installed util-linux would get the Bash completion fix. It=E2=80=99s probably OK that packages that depend on util-linux don=E2=80=99t get the fixed version because users don=E2=80=99t = get bash completion from there. WDYT? Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 19 16:52:29 2018 Received: (at 30827) by debbugs.gnu.org; 19 Mar 2018 20:52:29 +0000 Received: from localhost ([127.0.0.1]:42246 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ey1lc-0003EZ-Uv for submit@debbugs.gnu.org; Mon, 19 Mar 2018 16:52:29 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:38409) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ey1lY-0003EP-WB for 30827@debbugs.gnu.org; Mon, 19 Mar 2018 16:52:28 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 004E921053; Mon, 19 Mar 2018 16:52:23 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Mon, 19 Mar 2018 16:52:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=ZtNsk3tzkBpVXX+q5wXWUJT/D3nyrSgWmz4+mU4lzu0=; b=CFnYp v/GqZ6viEpkpASfpT3UxoP1BhLx5jM18NvvPVvYhehVQ5ua1U0qW3VPAUe5YIYCg qpx2QUJrxExLYrN3oPWNCadsHplfQecVoxpK69lORg5054l8LunmF+IeeypodCiv /1sf1O2osnqEjiUfSWHAhDIgk53WueYsq3bJxI= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=ZtNsk3tzkBpVXX+q5wXWUJT/D3nyr SgWmz4+mU4lzu0=; b=dT67vc9LRu9ukJjlaJeHOvvv/oRe6ETvZcTl1h++eWZRU r+rr78FIV7RacxjyvQg2amN3Lgz0kDSbCIbbABLgcO5DI+lPczwTaBlJnNHsAdfm 5dn4xPY6tDHZF+9OmIvw2AWvXJfk9bFL+bt1ILUVVgwjARVBBYgMDvz+XbjpPtsf ywUrIHIynq/T0mQHOvIDN07IRnJUzbALaIlxUH9q5ITcY8TVnMrqOvFSW3CB6jsZ pFsMoaUfG+6dEZANqRLs8DTT/bNO6wElPd21ksGylzjaNZGdrmJAl0d4+AsfY3fp 5ldzQ8kgPvzUXuz1RzuwtHPivhrjipI5pgLKPuDzQ== X-ME-Sender: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id A9E0F2407F; Mon, 19 Mar 2018 16:52:23 -0400 (EDT) Date: Mon, 19 Mar 2018 16:52:21 -0400 From: Leo Famulari To: Ludovic =?iso-8859-1?Q?Court=E8s?= Subject: Re: [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738. Message-ID: <20180319205221.GA20036@jasmine.lan> References: <871sggv32t.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline In-Reply-To: <871sggv32t.fsf@gnu.org> User-Agent: Mutt/1.9.3 (2018-01-21) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30827 Cc: 30827@debbugs.gnu.org, Marius Bakke X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 19, 2018 at 10:15:22AM +0100, Ludovic Court=C3=A8s wrote: > Hello! >=20 > Leo Famulari skribis: >=20 > > * gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file. > > * gnu/local.mk (dist_patch_DATA): Add it. > > * gnu/packages/linux.scm (util-linux)[replacement]: New field. > > (util-linux/fixed): New variable. >=20 > [...] >=20 > > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-7738 > > + > > +Patch copied from upstream source repository: > > + > > +https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d= 75e756883d3acc55 >=20 > I=E2=80=99m late to the party, but I=E2=80=99m wondering in this case if,= instead of > grafting, we should simply add an util-linux@2.31a package, and make > sure GuixSD uses that one in %base-packages. >=20 > That way, both GuixSD and manually installed util-linux would get the > Bash completion fix. It=E2=80=99s probably OK that packages that depend = on > util-linux don=E2=80=99t get the fixed version because users don=E2=80=99= t get bash > completion from there. >=20 > WDYT? That's a good idea. I'll test and push today. --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqwIwUACgkQJkb6MLrK fwi3pQ/+NifKSoZrgWF+MZfabLUcmG1DQWdRCd+qKRKuOTGwfyVLZmAQEe8oyc5s aK8ahIBRMZSqYZcEfQ3z5yGhsUJqozpbriNNjBU5y8KGGBQiuF0WR6oL3daLSX/8 H0dq6ELNix5wHDmV3pe4ie+6Nco1y9qtekGxtcMytpLCJwnMBXfGujfIoEhBgHKn I4IfRm3gsBEeDKaAQLGfadbSpCcobSz2CNXb+Cub9lYFKN0QTh0LpneqDA945LK7 EmPzdztFeN3JRIJTjhuhhbz9aWt+4VcxC+jPAgF8qckILD4xqy8z5i7Phbb4wvPQ 6Cx6aVY8u4S+2aOeeYCxYwy/FAf9XulIgOv89LYmvdEwzzM6tpGdQeMIQwCfabId c2dz63EoiGJwtsLReSehInIz/OHHw5+zFYS8RkbHK+2TPpECESi+CTymg8xUY1Ic zV+VEzP+vmpikybpX2u61PGOoNXaS8WSv4kBKGOsJseFdftgI6Y+Xp/VWxUXcD1c ELd1zULZhxg696jG68N19SjKLO5S/RKstJSLfmft17P3bjxsgrG+iLnch8mGvTvs mzzI6ZwQye7v2sP8za9ISoE3r6QpIG2VRrRaOWgdRpGwc29L+qbirI+vweG4lOkl ZRJH7xZi8XG/JE7yG8EKBsP4wDK8aH0mupnuLunsjXzfF4gPoTI= =hXmw -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o-- From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 19 18:15:56 2018 Received: (at 30827) by debbugs.gnu.org; 19 Mar 2018 22:15:56 +0000 Received: from localhost ([127.0.0.1]:42303 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ey34O-0005IN-Ap for submit@debbugs.gnu.org; Mon, 19 Mar 2018 18:15:56 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:49847) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ey34L-0005ID-RH for 30827@debbugs.gnu.org; Mon, 19 Mar 2018 18:15:54 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 4B47320A4B; Mon, 19 Mar 2018 18:15:53 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Mon, 19 Mar 2018 18:15:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=AqBb3rJsGhlYmnG8Pyu2KXBLO44u/IMTuqRAdZKuGqg=; b=cHs6g VLC2jfsYmXPAYUj5z2FXI70FA1JeKbFe8hl5cBqtoR4tczLHtntezuyWKSZVaaXP vdyy+36BNZxbIrguRJvXfxlI2+E4T8q4xJT2n/aV3WK3jcjILwmAH7MVdLJFsw0C lrbroEQkLWKK5ebngUNe3rmFS35pddWCtj50iE= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=AqBb3rJsGhlYmnG8Pyu2KXBLO44u/ IMTuqRAdZKuGqg=; b=msIw2O3PWk4koRqRF4Gac4OX4I3OgccfYnqP5+sx76SVE 5i7SDWh0zg5DRQC0V5Q8p3HoXQlDlpIlL0BiPb6wlrFYEXKyovedLldZ8CwWIuHm wL2q5VFDFYrsP+O1GG9maGn4wfr3hk/koxpgmhVEPYqnp5INhw0UDI+biQQiOdzb Biz6TDe16LrdSSWI5MAQvEV4wflJjPQYYyLOyvYd3ANW7GufP9G5Pxdro2B1KIQL Vp1b6/sy3pudu9hVGMy0Q3947UTFwSUFAO5GvTWdXKdeFt0jRQc4OqjtGqFTVnkx CDrl2T9gGNoko0GWW1EJVFbJn1IhqvpLRb4j5GX/A== X-ME-Sender: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id E8F0F2413F; Mon, 19 Mar 2018 18:15:52 -0400 (EDT) Date: Mon, 19 Mar 2018 18:15:51 -0400 From: Leo Famulari To: Ludovic =?iso-8859-1?Q?Court=E8s?= Subject: Re: [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738. Message-ID: <20180319221551.GA25867@jasmine.lan> References: <871sggv32t.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="cmJC7u66zC7hs+87" Content-Disposition: inline In-Reply-To: <871sggv32t.fsf@gnu.org> User-Agent: Mutt/1.9.3 (2018-01-21) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30827 Cc: 30827@debbugs.gnu.org, Marius Bakke X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --cmJC7u66zC7hs+87 Content-Type: multipart/mixed; boundary="HlL+5n6rz5pIUxbD" Content-Disposition: inline --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 19, 2018 at 10:15:22AM +0100, Ludovic Court=C3=A8s wrote: > I=E2=80=99m late to the party, but I=E2=80=99m wondering in this case if,= instead of > grafting, we should simply add an util-linux@2.31a package, and make > sure GuixSD uses that one in %base-packages. >=20 > That way, both GuixSD and manually installed util-linux would get the > Bash completion fix. It=E2=80=99s probably OK that packages that depend = on > util-linux don=E2=80=99t get the fixed version because users don=E2=80=99= t get bash > completion from there. >=20 > WDYT? What do you think of the attached patch? --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: attachment; filename="0001-gnu-util-linux-Fix-CVE-2018-7738-without-grafting.patch" Content-Transfer-Encoding: quoted-printable =46rom c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Mon, 19 Mar 2018 17:13:26 -0400 Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting. * gnu/packages/linux.scm (util-linux)[replacement]: Remove field. (util-linux-2.31.1): New variable. * gnu/system.scm (%base-packages): Use util-linux-2.31.1. --- gnu/packages/linux.scm | 40 ++++++++++++++++++++++++++++++++-------- gnu/system.scm | 2 +- 2 files changed, 33 insertions(+), 9 deletions(-) diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index b586c29d0..710b39bbd 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -19,7 +19,7 @@ ;;; Copyright =A9 2016 Rene Saavedra ;;; Copyright =A9 2016 Carlos S=E1nchez de La Lama ;;; Copyright =A9 2016, 2017 ng0 -;;; Copyright =A9 2017 Leo Famulari +;;; Copyright =A9 2017, 2018 Leo Famulari ;;; Copyright =A9 2017 Jos=E9 Miguel S=E1nchez Garc=EDa ;;; Copyright =A9 2017 G=E1bor Boskovits ;;; Copyright =A9 2017 Mathieu Othacehe @@ -547,7 +547,6 @@ providing the system administrator with some help in co= mmon tasks.") (define-public util-linux (package (name "util-linux") - (replacement util-linux/fixed) (version "2.31") (source (origin (method url-fetch) @@ -635,14 +634,39 @@ block devices, UUIDs, TTYs, and many other tools.") (license (list license:gpl3+ license:gpl2+ license:gpl2 license:lgpl2.= 0+ license:bsd-4 license:public-domain)))) =20 -(define util-linux/fixed +;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in +;; the Bash completions for `mount`. Since this bug doesn't affect +;; other programs that link against libraries from util-linux, we don't +;; need to use a graft to make the fix available. Instead, users +;; installing util-linux will get the fix in this newer version, and +;; (@ (gnu system) %base-packages) takes care to use this package. +;; This solution was suggested here: +;; +(define-public util-linux-2.31.1 (package (inherit util-linux) - (source - (origin - (inherit (package-source util-linux)) - (patches (append (origin-patches (package-source util-linux)) - (search-patches "util-linux-CVE-2018-7738.patch")= )))))) + (name "util-linux") + ;; XXX Don't update this without also updating %base-packages! + (version "2.31.1") + (source (origin + (method url-fetch) + (uri (string-append "mirror://kernel.org/linux/utils/" + name "/v" (version-major+minor version) = "/" + name "-" version ".tar.xz")) + (sha256 + (base32 + "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s")) + (patches (search-patches "util-linux-tests.patch" + "util-linux-CVE-2018-7738.patch")) + (modules '((guix build utils))) + (snippet + ;; We take the 'logger' program from GNU Inetutils and 'kil= l' + ;; from GNU Coreutils. + '(begin + (substitute* "configure" + (("build_logger=3Dyes") "build_logger=3Dno") + (("build_kill=3Dyes") "build_kill=3Dno")) + #t)))))) =20 (define-public ddate (package diff --git a/gnu/system.scm b/gnu/system.scm index eb4b63c42..0e647356c 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -515,7 +515,7 @@ explicitly appear in OS." ;; required for basic administrator tasks. (cons* procps psmisc which less zile nano pciutils usbutils - util-linux inetutils isc-dhcp + util-linux-2.31.1 inetutils isc-dhcp (@ (gnu packages admin) shadow) ;for 'passwd' =20 ;; wireless-tools is deprecated in favor of iw, but it's still wh= at --=20 2.16.2 --HlL+5n6rz5pIUxbD-- --cmJC7u66zC7hs+87 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqwNpMACgkQJkb6MLrK fwiO8Q/8DzVWsOUBFKU/p5NQuOTX1SuzjNgtLVGqPFZqQ4CO9b6sEdLcZGYNwMNl 0kBV94tCTQ8iQMOZ+eCREiwdjk9PA1dNQOh67WBmBffr2fiqfEx0Px+aZ6zShwHG WIRPFfQxSMRG4S5J6PXqkIB0ipm1wPYbOZS7gfZvyHoYen0iGgBB1swBpmU+xkQ1 ZUtBPzaYqTWbf6kuOen0ZXHQTI27BEApa+6cvi6LpmfhFJfnNVogtyTR6ugs4W6J es1p72o7WhOHCHvT9m/sHbBFzIqIhGxWhvBkXs2TqCbIz7pjXDkt0Nz4++YaWIOB Jejif/EEYvEXftFm+IdiCKsZCcLYuuOLyZl2WSz1qnmCmylQ+I9YcCW1qDnOPQmm jGoHUdOPiKV7PokjnedAE3CrDy8o5nnb9cL4Fm2RMYYE3Ew/o6gYu3SkF9YBkhDX GrC++j+W1TGg27GsuIMx3g1ofKPbXBkhCeFJVCNBiS10rnLN5YAEvlyf7za0JGrt 1IbnazauYLL4N4U0THpqzBDaIP1GLlE6ZbSGcDxUtmH6Cn5rO3sJsuLFDtBi82WC P8IL5OPcgZrcdHbbf6rLtgfdMeYJwuaydagrH2UStzyhBWbtMxYIl5N3VLUmZ0Rz QufzKz/B/zQDwaL3n3RsVfRKdwdbr5oeoGpy6VUbUJsABROGBaI= =SEVg -----END PGP SIGNATURE----- --cmJC7u66zC7hs+87-- From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 19 21:23:13 2018 Received: (at 30827) by debbugs.gnu.org; 20 Mar 2018 01:23:13 +0000 Received: from localhost ([127.0.0.1]:42428 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ey5zc-0005KT-Vz for submit@debbugs.gnu.org; Mon, 19 Mar 2018 21:23:13 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:59083) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ey5zb-0005KL-8r for 30827@debbugs.gnu.org; Mon, 19 Mar 2018 21:23:12 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id A07F821096; Mon, 19 Mar 2018 21:23:10 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute5.internal (MEProxy); Mon, 19 Mar 2018 21:23:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=qL5Gn8C0vbFow5cczdZNxeIOoYa+8EV6xB/qVXqoie8=; b=Bs1qCuK8 3cO/wCGjKY1ANM4Vyvo33OoIXtXtP0JkL74cSU4o1OpJlGaHFyPyMrJZve6ZiL0S xYiOXv+6DTujO+zLTznZHTpHwRUexnGTM7d4XpM7oMgyLtSk8S8wl+NJyKwFbTYT ibJPcbcKTOjaHu3VkGFeHisydQaM3pP7SlZ2TAqgYXqq7OcCVGhWJA6avIai4xcg u3GJ8wPgpDJdGRkzNESVHf1G+eIiTKANVKoNLTUFKWxWOWysq/yFmlNJh0/xeMWX EuyuDnHbXcQg/nhlkbG4IAXSk7sfu2AzPef/tC47Ki0Hw1u9EqaEYq6mLvudFIN0 5zauwQ7euZudDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=qL5Gn8C0vbFow5cczdZNxeIOoYa+8 EV6xB/qVXqoie8=; b=G9T+8ExdBfmUV6lJCFOvX8ncAvFGHRwyeCfsr0mifdkEX rIOoj6UP2kAjDyKPY7z6vRRZZAJEBcHqMJYQfnewN+NHTZgOIewwHdz1XzFWBTuq 7aphXG5E/ujxqByWlyepjdz+RV2MI+JK2i+GUwN4XIA3PaXuvXa8rQaV+rQv557K SN8AoFjnraLAb9a1/RdNGo9x1bu/8aLHnkej13MV0obC3GpBDFHXcRvqCv7ADLuN KA00Fg9bHrQjuVB0eKrXgaav9L4zVbu3f9E86WJM9Luapvfw9D7Ho++3H52bmrx7 ha96GYYov2tsMfht/zqpVm8j6DTdaYz4QZkErYP5A== X-ME-Sender: Received: from localhost (ti0019a400-2817.bb.online.no [88.90.102.17]) by mail.messagingengine.com (Postfix) with ESMTPA id 1E7277E13B; Mon, 19 Mar 2018 21:23:09 -0400 (EDT) From: Marius Bakke To: Leo Famulari , Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738. In-Reply-To: <20180319221551.GA25867@jasmine.lan> References: <871sggv32t.fsf@gnu.org> <20180319221551.GA25867@jasmine.lan> User-Agent: Notmuch/0.26 (https://notmuchmail.org) Emacs/25.3.1 (x86_64-pc-linux-gnu) Date: Tue, 20 Mar 2018 02:23:08 +0100 Message-ID: <87sh8vfslf.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30827 Cc: 30827@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Mon, Mar 19, 2018 at 10:15:22AM +0100, Ludovic Court=C3=A8s wrote: >> I=E2=80=99m late to the party, but I=E2=80=99m wondering in this case if= , instead of >> grafting, we should simply add an util-linux@2.31a package, and make >> sure GuixSD uses that one in %base-packages. >>=20 >> That way, both GuixSD and manually installed util-linux would get the >> Bash completion fix. It=E2=80=99s probably OK that packages that depend= on >> util-linux don=E2=80=99t get the fixed version because users don=E2=80= =99t get bash >> completion from there. >>=20 >> WDYT? > > What do you think of the attached patch? > From c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001 > From: Leo Famulari > Date: Mon, 19 Mar 2018 17:13:26 -0400 > Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting. > > * gnu/packages/linux.scm (util-linux)[replacement]: Remove field. > (util-linux-2.31.1): New variable. > * gnu/system.scm (%base-packages): Use util-linux-2.31.1. [...] =20=20 > -(define util-linux/fixed > +;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in > +;; the Bash completions for `mount`. Since this bug doesn't affect > +;; other programs that link against libraries from util-linux, we don't > +;; need to use a graft to make the fix available. Instead, users > +;; installing util-linux will get the fix in this newer version, and > +;; (@ (gnu system) %base-packages) takes care to use this package. > +;; This solution was suggested here: > +;; > +(define-public util-linux-2.31.1 > (package > (inherit util-linux) > - (source > - (origin > - (inherit (package-source util-linux)) > - (patches (append (origin-patches (package-source util-linux)) > - (search-patches "util-linux-CVE-2018-7738.patch= "))))))) > + (name "util-linux") > + ;; XXX Don't update this without also updating %base-packages! > + (version "2.31.1") > + (source (origin > + (method url-fetch) > + (uri (string-append "mirror://kernel.org/linux/utils/" > + name "/v" (version-major+minor version= ) "/" > + name "-" version ".tar.xz")) > + (sha256 > + (base32 > + "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s")) > + (patches (search-patches "util-linux-tests.patch" > + "util-linux-CVE-2018-7738.patch")) > + (modules '((guix build utils))) > + (snippet > + ;; We take the 'logger' program from GNU Inetutils and 'k= ill' > + ;; from GNU Coreutils. > + '(begin > + (substitute* "configure" > + (("build_logger=3Dyes") "build_logger=3Dno") > + (("build_kill=3Dyes") "build_kill=3Dno")) > + #t)))))) You can keep (inherit (package-source ...)) here to avoid duplicating snippet, modules and method. Apart from that LGTM. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlqwYnwACgkQoqBt8qM6 VPqEwgf/XeushVN+BxMcQB5fwTMPNcz8DFVoBPGgZtV4GccudsJUFb0SI46se7iJ GtVaXNizBQh5oZA8ERq76ZMI/apr+Pvsmv5t67ihUJe0CpzENoP/1eAg2q2al21b tVTQUT3P/hloPGAclKJOxPZWHprTg4sYxBJR1mC9RrLWopRJfY0++q0XnJYp4pKs 0ad8QQgORtqoq35KhNt2YSviDEGjGyrHYdK7G5BfgbXPLzuYb6NAc4UIibeiKX+d dtZ9ES1jmrkJl3qlPlUIaJJKJTMf/dbzg3gC+o15CZeCaxWNrCbCSN1XjwsJngdf Jh72ZJWGCqtr2WJIx6dVrdXVza7uJQ== =nJXr -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 20 04:47:07 2018 Received: (at 30827) by debbugs.gnu.org; 20 Mar 2018 08:47:07 +0000 Received: from localhost ([127.0.0.1]:42693 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eyCvD-0001Ob-D3 for submit@debbugs.gnu.org; Tue, 20 Mar 2018 04:47:07 -0400 Received: from hera.aquilenet.fr ([185.233.100.1]:40464) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eyCvB-0001OS-Fw for 30827@debbugs.gnu.org; Tue, 20 Mar 2018 04:47:06 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 5DF691259B; Tue, 20 Mar 2018 09:47:04 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qZwyn9FGPWmK; Tue, 20 Mar 2018 09:47:03 +0100 (CET) Received: from ribbon (unknown [193.50.110.92]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 6BDD212594; Tue, 20 Mar 2018 09:47:03 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Marius Bakke Subject: Re: [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738. References: <871sggv32t.fsf@gnu.org> <20180319221551.GA25867@jasmine.lan> <87sh8vfslf.fsf@fastmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 30 =?utf-8?Q?Vent=C3=B4se?= an 226 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 20 Mar 2018 09:47:02 +0100 In-Reply-To: <87sh8vfslf.fsf@fastmail.com> (Marius Bakke's message of "Tue, 20 Mar 2018 02:23:08 +0100") Message-ID: <878tanxhfd.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 30827 Cc: 30827@debbugs.gnu.org, Leo Famulari X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Hi, Marius Bakke skribis: > Leo Famulari writes: [...] >> From c29872dab8ca0a8fc20bdaf4183d6f061fa2c677 Mon Sep 17 00:00:00 2001 >> From: Leo Famulari >> Date: Mon, 19 Mar 2018 17:13:26 -0400 >> Subject: [PATCH] gnu: util-linux: Fix CVE-2018-7738 without grafting. >> >> * gnu/packages/linux.scm (util-linux)[replacement]: Remove field. >> (util-linux-2.31.1): New variable. >> * gnu/system.scm (%base-packages): Use util-linux-2.31.1. > > [...] >=20=20=20 >> -(define util-linux/fixed >> +;; The patch 'util-linux-CVE-2018-7738.patch' fixes a security bug in >> +;; the Bash completions for `mount`. Since this bug doesn't affect >> +;; other programs that link against libraries from util-linux, we don't >> +;; need to use a graft to make the fix available. Instead, users >> +;; installing util-linux will get the fix in this newer version, and >> +;; (@ (gnu system) %base-packages) takes care to use this package. >> +;; This solution was suggested here: >> +;; >> +(define-public util-linux-2.31.1 >> (package >> (inherit util-linux) >> - (source >> - (origin >> - (inherit (package-source util-linux)) >> - (patches (append (origin-patches (package-source util-linux)) >> - (search-patches "util-linux-CVE-2018-7738.patc= h"))))))) >> + (name "util-linux") >> + ;; XXX Don't update this without also updating %base-packages! >> + (version "2.31.1") >> + (source (origin >> + (method url-fetch) >> + (uri (string-append "mirror://kernel.org/linux/utils/" >> + name "/v" (version-major+minor versio= n) "/" >> + name "-" version ".tar.xz")) >> + (sha256 >> + (base32 >> + "04fzrnrr3pvqskvjn9f81y0knh0jvvqx4lmbz5pd4lfdm5pv2l8s")) >> + (patches (search-patches "util-linux-tests.patch" >> + "util-linux-CVE-2018-7738.patch"= )) >> + (modules '((guix build utils))) >> + (snippet >> + ;; We take the 'logger' program from GNU Inetutils and '= kill' >> + ;; from GNU Coreutils. >> + '(begin >> + (substitute* "configure" >> + (("build_logger=3Dyes") "build_logger=3Dno") >> + (("build_kill=3Dyes") "build_kill=3Dno")) >> + #t)))))) > > You can keep (inherit (package-source ...)) here to avoid duplicating > snippet, modules and method. Apart from that LGTM. Agreed. Thank you! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 20 17:17:27 2018 Received: (at 30827-done) by debbugs.gnu.org; 20 Mar 2018 21:17:27 +0000 Received: from localhost ([127.0.0.1]:44313 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eyOdK-0006fW-PV for submit@debbugs.gnu.org; Tue, 20 Mar 2018 17:17:27 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:44873) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eyOdJ-0006fP-8p for 30827-done@debbugs.gnu.org; Tue, 20 Mar 2018 17:17:25 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id A9CF520DEA; Tue, 20 Mar 2018 17:17:24 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Tue, 20 Mar 2018 17:17:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=FgWjTrdqlo7AMa02vnLn3lyU1HARG2fF6sczG4pYzjk=; b=1BMGd 1yaDhyVla9+KSWI0aUh4wLYLknfnjt+p0F+DGqsPeZZT8BnL+CWPH0SnSMUnZTsQ tHC6adpGxVrLhjmBZlOgyelbWH4bn9yx0uVMVxA4NZDlOXsnzDDYDlJg9mc2rVBO NUCZiBG//38orjEXDKntjC/fNZ9FyiYb1QxrNQ= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=FgWjTrdqlo7AMa02vnLn3lyU1HARG 2fF6sczG4pYzjk=; b=fYTEWnj7b2xSe8TpqNrFkgrxIuyEsZWP6gHtTSulNZooa B3Jtjf8OkgmE6FDqkLZfitXz6dFG5rXuKZJzqL9Y8Ts5ljEA3TPj0VkW9d7bfNbF CBQwBt7O2xxk6tenaPSmzvWWpewoR5xxmrzNfGWnUP5XYfWllhqlpSlplnLN1g1k zgOH3/iqLN87a51z2yCjDWNZXLYL/lgZbnQLJEF1VZI0FNUdSxQa6Eq+e6h4MC5x anR4MeH1+GyF0dIbBx4oWaJkbH1q0OYCkdfx/Bid9Btf+U9Pg6hAEh3AuBysqAuK 9F1F1r1448BVb75npyHKUbIVuqBl0JMnRNGCUdOXQ== X-ME-Sender: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 5398924253; Tue, 20 Mar 2018 17:17:24 -0400 (EDT) Date: Tue, 20 Mar 2018 17:17:23 -0400 From: Leo Famulari To: Ludovic =?iso-8859-1?Q?Court=E8s?= Subject: Re: [bug#30827] [PATCH] gnu: util-linux: Fix CVE-2018-7738. Message-ID: <20180320211723.GA21515@jasmine.lan> References: <871sggv32t.fsf@gnu.org> <20180319221551.GA25867@jasmine.lan> <87sh8vfslf.fsf@fastmail.com> <878tanxhfd.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="EeQfGwPcQSOJBaQU" Content-Disposition: inline In-Reply-To: <878tanxhfd.fsf@gnu.org> User-Agent: Mutt/1.9.3 (2018-01-21) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 30827-done Cc: Marius Bakke , 30827-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 20, 2018 at 09:47:02AM +0100, Ludovic Court=E8s wrote: > Marius Bakke skribis: > > You can keep (inherit (package-source ...)) here to avoid duplicating > > snippet, modules and method. Apart from that LGTM. >=20 > Agreed. >=20 > Thank you! Thanks, pushed as af23710ff522bb4e6cedf841c4fb977d96c9d8b3 --EeQfGwPcQSOJBaQU Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqxemMACgkQJkb6MLrK fwiNExAA0RelaTIebXz+ZPr8shNq3s2D2/BU4TsgVpO10flBN8eEPC1N55p0g4nf uCCOLTuCzlpSjvigfpK7mRS/uO+FZgSJmGGkuMMbjWFxd+db3BMuKZIUE0MBYwN4 PnOImZwsJ/WmutDJ2P1YvenHxBgZsWKZhlOm6AfN9rebEP9cc+EuYhVhoyO5YJ/z PbpPn5iLCAR+cZREMOZ+T8g4VvwQkb01zpIKm+1enJb+ipXkQVv6Tct3XBrx1DHw LY3bUULpho1HPTIa+2bWejWmOuL81SNlkpLkow0lHeu3ITs6d1q27O3bjNufBTA7 /EJwulpp3MBlco4jSZxOaQfspuf790Kn3XeH96SRKAO9JUwg9/fH2nePMGnvvWAJ DnbC1vGLJu6dn78NjBHetOvaJmnN/lHIsa38Ot0y4djZI8iu3lRAPKQIrHZM74Fz yIhZmEULRY8b9+Pmf45RmZbA923Msp7fxJ8xgU4pgSjGnoYchYW5iE5KjjXp1MUq Mey1aD50jCZrtqllqcDCmAoubw1maH2BB1gv7tNyHguhVpNvbLQG+RSXTV/Z5wXP LGpyZ+NhNYLofbs0D4lt7w19TTSQIiGsltTkGOwCF0+KUeXrif4OZgBfVpzdI/LK Eklob+yoCgkwUQp/sfx5uw4Rho5CdxEY6xff/BiBF1wTp+OoDIA= =XHmx -----END PGP SIGNATURE----- --EeQfGwPcQSOJBaQU-- From unknown Wed Sep 10 12:32:50 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 18 Apr 2018 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator