GNU bug report logs - #47144
security patching of 'patch' package

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Mark H Weaver <mhw <at> netris.org>
Subject: bug#47144: closed (Re: bug#47144: security patching of 'patch'
 package)
Date: Mon, 24 Jun 2024 05:17:04 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#47144: security patching of 'patch' package

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 47144 <at> debbugs.gnu.org.

-- 
47144: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=47144
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: 47144-done <at> debbugs.gnu.org
Cc: Josselin Poiret <dev <at> jpoiret.xyz>, Tobias Geerinckx-Rice <me <at> tobias.gr>,
 Sharlatan Hellseher <sharlatanus <at> gmail.com>,
 Ekaitz Zarraga <ekaitz <at> elenq.tech>, Simon Tournier <zimon.toutoune <at> gmail.com>,
 Guillaume Le Vaillant <glv <at> posteo.net>, Mark H Weaver <mhw <at> netris.org>,
 Ludovic Courtès <ludo <at> gnu.org>,
 Katherine Cox-Buday <cox.katherine.e+guix <at> gmail.com>,
 Efraim Flashner <efraim <at> flashner.co.il>, Leo Famulari <leo <at> famulari.name>,
 Ricardo Wurmus <rekado <at> elephly.net>, Munyoki Kilyungi <me <at> bonfacemunyoki.com>,
 jgart <jgart <at> dismail.de>, Mathieu Othacehe <othacehe <at> gnu.org>,
 Christopher Baines <guix <at> cbaines.net>,
 Léo Le Bouter <lle-bout <at> zaclys.net>
Subject: Re: bug#47144: security patching of 'patch' package
Date: Mon, 24 Jun 2024 00:43:46 -0400

Hi,

Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:

> * gnu/packages/base.scm (patch): Rename to...
> (patch/pinned): ... this.  Hide package.
> (patch): New variable.
> * gnu/packages/commencement.scm (patch-mesboot): Inherit from patch/pinned.
> (patch-boot0): Likewise.
> (%final-inputs): Replace patch with patch/pinned.
> * gnu/packages/lisp.scm (cl-asdf): Likewise.
> * guix/packages.scm (%standard-patch-inputs): Replace patch with patch/pinned.
>
> Fixes: https://issues.guix.gnu.org/47144
> Reported-by: Mark H Weaver <mhw <at> netris.org>
> Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873

Applied locally and will push shortly.

-- 
Thanks,
Maxim

[Message part 3 (message/rfc822, inline)]

From: Mark H Weaver <mhw <at> netris.org>
To: bug-guix <at> gnu.org
Cc: Léo Le Bouter <lle-bout <at> zaclys.net>
Subject: security patching of 'patch' package
Date: Sun, 14 Mar 2021 17:37:25 -0400

[Message part 4 (text/plain, inline)]

I'm forwarding this to bug-guix <at> gnu.org so that it won't be forgotten.

       Mark

-------------------- Start of forwarded message --------------------
Subject: security patching of 'patch' package
From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: guix-devel <at> gnu.org
Date: Wed, 10 Mar 2021 04:14:35 +0100

[Message part 5 (text/plain, inline)]

Hello!

I could find that the 'patch' package was vulnerable to numerous CVEs
that other distros like Debian have patched. Here's the list reported
by 'guix lint -c cve patch':

patch <at> 2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
2018-6952

Can I use latest commit from master to build 'patch' then graft
original package?

i.e. https://git.savannah.gnu.org/git/patch.git

There's not that many commits since last release, but lots of time: 
https://git.savannah.gnu.org/cgit/patch.git/log/

Thank you,
Léo

[signature.asc (application/pgp-signature, inline)]

[Message part 7 (text/plain, inline)]

-------------------- End of forwarded message --------------------

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.