GNU bug report logs - #61583
[PATCH] gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946].

Previous Next

Package: guix-patches;

Reported by: Greg Hogan <code <at> greghogan.com>

Date: Fri, 17 Feb 2023 18:05:01 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

Message #47 received at 61583 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Josselin Poiret <dev <at> jpoiret.xyz>
Cc: 61583 <at> debbugs.gnu.org, ludo <at> gnu.org, Greg Hogan <code <at> greghogan.com>,
 zimoun <zimon.toutoune <at> gmail.com>
Subject: Re: [bug#61583] [PATCH] gnu: git: Update to 2.39.2 [fixes
 CVE-2023-22490 & CVE-2023-23946].
Date: Sun, 5 Mar 2023 14:30:45 -0500

> "Leo Famulari" <leo <at> famulari.name> writes:
> > Changing the Git package shouldn't affect fixed-output derivations that fetch from Git. If they do, that's a recent and very serious bug.

Now I have confused myself and I'm unsure. I stepped away from Guix for
a while and forgot a lot of the intimate knowledge I had on this
subject.

I checked, and this patch does change the derivation of packages
fetching from Git, although the output is identical. So, I am confused
about if this will cause >10k rebuilds or not.

Here's how I checked, first by calculating derivations and outputs on
the master branch, and then after applying the patch:

------
$ git rev-parse --abbrev-ref HEAD
master
$ git rev-parse HEAD                                 
cedf97ed6ee4eba8c39bfe6cc0efe33fcb977ccf
$ ./pre-inst-env guix build --no-grafts corefreq -d
/gnu/store/78lhq407x6sjlf3k7jh16ph1pff1y2nw-corefreq-1.95.2.drv    
$ ./pre-inst-env guix build --no-grafts corefreq   
/gnu/store/vva0xljihzmpf4ddbihr168f2ymkh2k0-corefreq-1.95.2-linux-module
/gnu/store/qkwah5gnfqh293i36byhc00cd6xb3jml-corefreq-1.95.2
------

Apply the patch:

------
$ git checkout contrib-security-git                 
Switched to branch 'contrib-security-git'
$ git log --oneline | head -n1         
faeb52692d gnu: git: Update to 2.39.2 [fixes CVE-2023-22490 & CVE-2023-23946].
$ ./pre-inst-env guix build --no-grafts corefreq -d
/gnu/store/sw5942gj4f5lm9i9zn6bwj7f0q0dlf7a-corefreq-1.95.2.drv         
$ ./pre-inst-env guix build --no-grafts corefreq   
/gnu/store/vva0xljihzmpf4ddbihr168f2ymkh2k0-corefreq-1.95.2-linux-module
/gnu/store/qkwah5gnfqh293i36byhc00cd6xb3jml-corefreq-1.95.2
------

The package derivation changed, but not the output.

I'm looking for guidance on how to interpret these results.
This bug report was last modified 2 years and 77 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.