GNU bug report logs - #46194
Doas vulnerability CVE-2019-25016

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Sat, 30 Jan 2021 20:52:02 UTC

Severity: normal

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Leo Famulari <leo <at> famulari.name>
Subject: bug#46194: closed (Re: bug#46194: [PATCH] gnu: opendoas: Update
 to 6.8.1.)
Date: Sun, 31 Jan 2021 20:17:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#46194: Doas vulnerability CVE-2019-25016

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 46194 <at> debbugs.gnu.org.

-- 
46194: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=46194
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Leo Famulari <leo <at> famulari.name>
To: Brice Waegeneire <brice <at> waegenei.re>
Cc: 46194-done <at> debbugs.gnu.org
Subject: Re: bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1.
Date: Sun, 31 Jan 2021 15:16:06 -0500

On Sun, Jan 31, 2021 at 08:41:07PM +0100, Brice Waegeneire wrote:
> * gnu/packages/admin.scm (opendoas): Update to 6.8.1.
> 
> Fixes #46194.
> ---
> As there isn't any service for this package (I'm working on it), it's quite
> useless and there isn't any package depending on it.  I guess very few
> people, if any, are using it so I see no need for grafting here.

Thanks! I pushed as 9c8156507abeb15f6d3816800c077fd99f861e3d

The question of "should it be grafted" depends on how many packages
depend on it:

$ guix refresh -l opendoas
No dependents other than itself: opendoas <at> 6.8

If `guix refresh` reports that more than 300 packages will be rebuilt,
security updates should use grafts, as specified in the manual section
Submitting Patches:

https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html

We don't want to wait for a 'staging' or 'core-updates' cycle for
security updates, so grafts let us cheat and push things directly to
master, without requiring expensive recompilation of dependent packages.

I know you could have pushed this yourself, although I did it on your
behalf. Now that we've clarified the use case of grafts, please feel
free to push things like this without review :)

The manual section Commit Access offers some guidelines:

"For patches that just add a new package, and a simple one, it’s OK to
commit, if you’re confident (which means you successfully built it in a
chroot setup, and have done a reasonable copyright and license
auditing). Likewise for package upgrades, except upgrades that trigger a
lot of rebuilds (for example, upgrading GnuTLS or GLib)."


[Message part 3 (message/rfc822, inline)]
From: Leo Famulari <leo <at> famulari.name>
To: bug-guix <at> gnu.org
Subject: Doas vulnerability CVE-2019-25016
Date: Sat, 30 Jan 2021 15:51:11 -0500

Our package of doas is apparently vulnerable to CVE-2019-25016:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25016
This bug report was last modified 4 years and 194 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.