GNU bug report logs - #47144
security patching of 'patch' package

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#47144: closed (security patching of 'patch' package)
Date: Mon, 24 Jun 2024 05:17:04 +0000

[Message part 1 (text/plain, inline)]

Your message dated Mon, 24 Jun 2024 00:43:46 -0400
with message-id <87cyo70x31.fsf_-_ <at> gmail.com>
and subject line Re: bug#47144: security patching of 'patch' package
has caused the debbugs.gnu.org bug report #47144,
regarding security patching of 'patch' package
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
47144: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=47144
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Mark H Weaver <mhw <at> netris.org>
To: bug-guix <at> gnu.org
Cc: Léo Le Bouter <lle-bout <at> zaclys.net>
Subject: security patching of 'patch' package
Date: Sun, 14 Mar 2021 17:37:25 -0400

[Message part 3 (text/plain, inline)]

I'm forwarding this to bug-guix <at> gnu.org so that it won't be forgotten.

       Mark

-------------------- Start of forwarded message --------------------
Subject: security patching of 'patch' package
From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: guix-devel <at> gnu.org
Date: Wed, 10 Mar 2021 04:14:35 +0100

[Message part 4 (text/plain, inline)]

Hello!

I could find that the 'patch' package was vulnerable to numerous CVEs
that other distros like Debian have patched. Here's the list reported
by 'guix lint -c cve patch':

patch <at> 2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
2018-6952

Can I use latest commit from master to build 'patch' then graft
original package?

i.e. https://git.savannah.gnu.org/git/patch.git

There's not that many commits since last release, but lots of time: 
https://git.savannah.gnu.org/cgit/patch.git/log/

Thank you,
Léo

[signature.asc (application/pgp-signature, inline)]

[Message part 6 (text/plain, inline)]

-------------------- End of forwarded message --------------------

[Message part 7 (message/rfc822, inline)]

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: 47144-done <at> debbugs.gnu.org
Cc: Josselin Poiret <dev <at> jpoiret.xyz>, Tobias Geerinckx-Rice <me <at> tobias.gr>,
 Sharlatan Hellseher <sharlatanus <at> gmail.com>,
 Ekaitz Zarraga <ekaitz <at> elenq.tech>, Simon Tournier <zimon.toutoune <at> gmail.com>,
 Guillaume Le Vaillant <glv <at> posteo.net>, Mark H Weaver <mhw <at> netris.org>,
 Ludovic Courtès <ludo <at> gnu.org>,
 Katherine Cox-Buday <cox.katherine.e+guix <at> gmail.com>,
 Efraim Flashner <efraim <at> flashner.co.il>, Leo Famulari <leo <at> famulari.name>,
 Ricardo Wurmus <rekado <at> elephly.net>, Munyoki Kilyungi <me <at> bonfacemunyoki.com>,
 jgart <jgart <at> dismail.de>, Mathieu Othacehe <othacehe <at> gnu.org>,
 Christopher Baines <guix <at> cbaines.net>,
 Léo Le Bouter <lle-bout <at> zaclys.net>
Subject: Re: bug#47144: security patching of 'patch' package
Date: Mon, 24 Jun 2024 00:43:46 -0400

Hi,

Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:

> * gnu/packages/base.scm (patch): Rename to...
> (patch/pinned): ... this.  Hide package.
> (patch): New variable.
> * gnu/packages/commencement.scm (patch-mesboot): Inherit from patch/pinned.
> (patch-boot0): Likewise.
> (%final-inputs): Replace patch with patch/pinned.
> * gnu/packages/lisp.scm (cl-asdf): Likewise.
> * guix/packages.scm (%standard-patch-inputs): Replace patch with patch/pinned.
>
> Fixes: https://issues.guix.gnu.org/47144
> Reported-by: Mark H Weaver <mhw <at> netris.org>
> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873

Applied locally and will push shortly.

-- 
Thanks,
Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.