GNU bug report logs - #48915
[PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560.

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Tue, 8 Jun 2021 08:46:02 UTC

Severity: normal

Tags: patch, security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 48915 <at> debbugs.gnu.org
Subject: [bug#48915] [PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560.
Date: Tue, 08 Jun 2021 23:32:35 +0200

Leo Famulari <leo <at> famulari.name> skribis:

> On Tue, Jun 08, 2021 at 10:45:12AM +0200, Ludovic Courtès wrote:
>> +(define-public polkit/fixed
>> +  (package
>> +    (inherit polkit)
>> +    (version "0.11A")                             ;0.116 + patch
>> +    (source (origin
>> +              (inherit (package-source polkit))
>> +              (patches (search-patches "polkit-CVE-2021-3560.patch"))))))
>
> Typically, we don't change the version when creating replacement
> packages that apply a patch. We only change the version when the
> replacement package actually updates to a new version.

Pushed as 9178566954cc7f34d2d991d31df4565adad93508!

As discussed on IRC, I ended up making ‘polkit/fixed’ private, with the
version string unchanged (inherited from ‘polkit’).

We wondered whether Cuirass would build ‘polkit/fixed’ if it’s private.
Turns out it does, but this comment in (gnu ci) is still valid:

--8<---------------cut here---------------start------------->8---
(define (all-packages)
  "Return the list of packages to build."
  (define (adjust package result)
    (cond ((package-replacement package)
           ;; XXX: If PACKAGE and its replacement have the same name/version,
           ;; then both Cuirass jobs will have the same name, which
           ;; effectively means that the second one will be ignored.  Thus,
           ;; return the replacement first.
           (cons* (package-replacement package)   ;build both
                  package
                  result))
--8<---------------cut here---------------end--------------->8---

IOW, the replacement, and only the replacement, gets built.

The current ‘zstd’ replacement is private
<https://ci.guix.gnu.org/search?query=system%3Ax86_64-linux+spec%3Amaster+zstd>
only shows derivations for the replacement, not for the original one.
That’s okay though because the original one necessarily got built
earlier.

Thanks,
Ludo’.
This bug report was last modified 3 years and 349 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.