summary refs log tree commit diff
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2017-02-10 17:44:31 +0100
committerLudovic Courtès <ludo@gnu.org>2017-02-10 17:44:31 +0100
commit20c1b4b88d396b6261660e2fda03229094cce62d (patch)
treea2157ff1986b8697c2d6e7d031e9b93f652be16c
parent768f0ac9dd9993827430d62d0f72a5020f476892 (diff)
downloadguix-20c1b4b88d396b6261660e2fda03229094cce62d.tar.gz
gnu: bash: Remove graft for CVE-2017-5932.
* gnu/packages/bash.scm (bash)[replacement]: Remove.
(bash-minimal)[replacement]: Remove.
(url-fetch/reset-patch-level, bash/fixed): Remove.
-rw-r--r--gnu/packages/bash.scm41
1 files changed, 1 insertions, 40 deletions
diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm
index ec9f83519f..910da0b197 100644
--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@@ -65,7 +65,7 @@
    (4 "1cy8abf96hkrjhw921ndr0shlcnc52bg45rn6xri4v5clhq0l25d")
    (5 "0a8515kyk4zsgmvlqvlganjfr7pq0j6kzpr4d6xx02kpbdr4n7i2")
    (6 "1f24wgqngmj2mrj9yibwvc2zvlmn5xi53mnw777g3l40c4m2x3ka")
-   (7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")
+   (7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y") ;CVE-2017-5932
    (8 "1firw915mjm03hbbw9a70ch3cpgrgnvqjpllgdnn6csr8q04f546")
    (9 "0g1l56kvw61rpw7dqa9fcl9llkl693h73g631hrhxlm030ddssqb")
    (10 "01lfhrkdsdkdz8ypzapr614ras23x7ckjnr60aa5bzkaqprccrc4")
@@ -110,7 +110,6 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
          (version "4.4"))
     (package
      (name "bash")
-     (replacement bash/fixed)
      (source (origin
               (method url-fetch)
               (uri (string-append
@@ -204,7 +203,6 @@ without modification.")
   ;; A stripped-down Bash for non-interactive use.
   (package (inherit bash)
     (name "bash-minimal")
-    (replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion
     (inputs '())                                ; no readline, no curses
 
     ;; No "include" output because there's no support for loadable modules.
@@ -260,43 +258,6 @@ without modification.")
                    (delete-file-recursively (string-append out "/share"))
                    #t))))))))))
 
-(define* (url-fetch/reset-patch-level url hash-algo hash
-                                      #:optional name
-                                      #:key (system (%current-system)) guile)
-  "Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it
-can apply to a patch-level 0 Bash."
-  (mlet* %store-monad ((name -> (or name (basename url)))
-                       (patch (url-fetch url hash-algo hash
-                                         (string-append name ".orig")
-                                         #:system system
-                                         #:guile guile)))
-    (gexp->derivation name
-                      (with-imported-modules '((guix build utils))
-                        #~(begin
-                            (use-modules (guix build utils))
-                            (copy-file #$patch #$output)
-                            (substitute* #$output
-                              (("PATCHLEVEL [0-6]+")
-                               "PATCHLEVEL 0"))))
-                      #:guile-for-build guile
-                      #:system system)))
-
-(define bash/fixed                        ;CVE-2017-5932 (RCE with completion)
-  (package
-    (inherit bash)
-    (version "4.4.A")                             ;4.4.0 + patch #7
-    (replacement #f)
-    (source
-     (origin
-       (inherit (package-source bash))
-       (patches (cons (origin
-                        (method url-fetch/reset-patch-level)
-                        (uri (patch-url 7))
-                        (sha256
-                         (base32
-                          "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")))
-                      (origin-patches (package-source bash))))))))
-
 (define-public bash-completion
   (package
     (name "bash-completion")