summary refs log tree commit diff
diff options
context:
space:
mode:
authorMaxim Cournoyer <maxim.cournoyer@gmail.com>2024-06-05 20:46:21 -0400
committerMaxim Cournoyer <maxim.cournoyer@gmail.com>2024-06-24 08:51:45 -0400
commit831001c581279ee981aea7433e4d6dbe30de7d31 (patch)
tree88f19896e4f47b0dd515de182d446d23d1afbf6e
parent1a0509e7fa1caeb5c56e936849e3b574ef27aa53 (diff)
downloadguix-831001c581279ee981aea7433e4d6dbe30de7d31.tar.gz
gnu: patch: Update to latest commit [security fixes].
* gnu/packages/base.scm (patch): Rename to...
(patch/pinned): ... this.  Hide package.
(patch): New variable.
* gnu/packages/commencement.scm (patch-mesboot): Inherit from patch/pinned.
(patch-boot0): Likewise.
(%final-inputs): Replace patch with patch/pinned.
* gnu/packages/lisp.scm (cl-asdf): Likewise.
* guix/packages.scm (%standard-patch-inputs): Replace patch with patch/pinned.

Fixes: https://issues.guix.gnu.org/47144
Reported-by: Mark H Weaver <mhw@netris.org>
Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873
-rw-r--r--gnu/packages/base.scm102
-rw-r--r--gnu/packages/commencement.scm8
-rw-r--r--gnu/packages/lisp.scm2
-rw-r--r--guix/packages.scm2
4 files changed, 82 insertions, 32 deletions
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index bbe5b8cf57..66c5b7d237 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -19,7 +19,7 @@
 ;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net>
 ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
 ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
-;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe>
 ;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com>
 ;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
@@ -46,8 +46,10 @@
   #:use-module (gnu packages acl)
   #:use-module (gnu packages algebra)
   #:use-module (gnu packages attr)
+  #:use-module (gnu packages autotools)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages bison)
+  #:use-module (gnu packages build-tools)
   #:use-module (gnu packages gcc)
   #:use-module (gnu packages guile)
   #:use-module (gnu packages multiprecision)
@@ -261,35 +263,83 @@ standard utility.")
    (license gpl3+)
    (home-page "https://www.gnu.org/software/tar/")))
 
-(define-public patch
-  (package
-    (name "patch")
-    (version "2.7.6")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnu/patch/patch-"
-                                  version ".tar.xz"))
-              (sha256
-               (base32
-                "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
-              (patches (search-patches "patch-hurd-path-max.patch"))))
-    (build-system gnu-build-system)
-    (arguments
-     ;; Work around a cross-compilation bug whereby libpatch.a would provide
-     ;; '__mktime_internal', which conflicts with the one in libc.a.
-     (if (%current-target-system)
-         `(#:configure-flags '("gl_cv_func_working_mktime=yes"))
-         '()))
-    (native-inputs (list ed))
-    (synopsis "Apply differences to originals, with optional backups")
-    (description
-     "Patch is a program that applies changes to files based on differences
+;;; TODO: Replace/merge with 'patch' on core-updates.
+(define-public patch/pinned
+  (hidden-package
+   (package
+     (name "patch")
+     (version "2.7.6")
+     (source (origin
+               (method url-fetch)
+               (uri (string-append "mirror://gnu/patch/patch-"
+                                   version ".tar.xz"))
+               (sha256
+                (base32
+                 "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
+               (patches (search-patches "patch-hurd-path-max.patch"))))
+     (build-system gnu-build-system)
+     (arguments
+      ;; Work around a cross-compilation bug whereby libpatch.a would provide
+      ;; '__mktime_internal', which conflicts with the one in libc.a.
+      (if (%current-target-system)
+          `(#:configure-flags '("gl_cv_func_working_mktime=yes"))
+          '()))
+     (native-inputs (list ed))
+     (synopsis "Apply differences to originals, with optional backups")
+     (description
+      "Patch is a program that applies changes to files based on differences
 laid out as by the program \"diff\".  The changes may be applied to one or more
 files depending on the contents of the diff file.  It accepts several
 different diff formats.  It may also be used to revert previously applied
 differences.")
-    (license gpl3+)
-    (home-page "https://savannah.gnu.org/projects/patch/")))
+     (license gpl3+)
+     (home-page "https://savannah.gnu.org/projects/patch/"))))
+
+(define-public patch
+  ;; The latest release is from 2018, and lacks multiple security related
+  ;; patches.  Since Fedora carries 23 patches, simply use the latest commit
+  ;; until a proper release is made.
+  (let ((revision "0")
+        (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92")
+        (base patch/pinned))
+    (package
+      (inherit base)
+      (name "patch")
+      (version (git-version "2.7.6" revision commit))
+      (source (origin
+                (method git-fetch)
+                (uri (git-reference
+                      (url "https://git.savannah.gnu.org/git/patch.git")
+                      (commit commit)))
+                (file-name (git-file-name name version))
+                (sha256
+                 (base32
+                  "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))
+                (patches (search-patches "patch-hurd-path-max.patch"))))
+      (arguments
+       (substitute-keyword-arguments (package-arguments base)
+         ((#:phases phases '%standard-phases)
+          #~(modify-phases #$phases
+              (add-after 'unpack 'copy-gnulib-sources
+                (lambda _
+                  ;; XXX: We copy the source instead of using 'gnulib' as a
+                  ;; native input to avoid introducing a dependency cycle.
+                  (copy-recursively #+gnulib "gnulib")
+                  (setenv "GNULIB_SRCDIR"
+                          (string-append (getcwd) "/gnulib/src/gnulib"))))
+              (add-after 'copy-gnulib-sources 'update-bootstrap-script
+                (lambda _
+                  (copy-file "gnulib/src/gnulib/build-aux/bootstrap"
+                             "bootstrap")))
+              (add-after 'unpack 'patch-configure.ac
+                (lambda _
+                  (substitute* "configure.ac"
+                    ;; The gnulib-provided git-version-gen script has a plain
+                    ;; shebang of #!/bin/sh; avoid using it.
+                    (("build-aux/git-version-gen" all)
+                     (string-append "sh " all)))))))))
+      (native-inputs (list autoconf automake bison ed))
+      (properties '()))))
 
 (define-public diffutils
   (package
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index b4d236c35b..0433059493 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -878,7 +878,7 @@ MesCC-Tools), and finally M2-Planet.")
 (define patch-mesboot
   ;; The initial patch.
   (package
-    (inherit patch)
+    (inherit patch/pinned)
     (name "patch-mesboot")
     (version "2.5.9")
     (source (origin
@@ -2167,8 +2167,8 @@ exec " gcc "/bin/" program
 
 (define patch-boot0
   (package
-    (inherit patch)
-    (source (bootstrap-origin (package-source patch)))
+    (inherit patch/pinned)
+    (source (bootstrap-origin (package-source patch/pinned)))
     (name "patch-boot0")
     (native-inputs '())
     (inputs
@@ -3482,7 +3482,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
                    ("bzip2" ,bzip2)
                    ("file" ,file)
                    ("diffutils" ,diffutils)
-                   ("patch" ,patch)
+                   ("patch" ,patch/pinned)
                    ("findutils" ,findutils)
                    ("gawk" ,gawk)))
           ("sed" ,sed-final)
diff --git a/gnu/packages/lisp.scm b/gnu/packages/lisp.scm
index d4ad7fd495..1b985362b1 100644
--- a/gnu/packages/lisp.scm
+++ b/gnu/packages/lisp.scm
@@ -382,7 +382,7 @@ interface.")
     (build-system trivial-build-system)
     (native-inputs
      `(("config-patch" ,@(search-patches "cl-asdf-config-directories.patch"))
-       ("patch" ,patch)))
+       ("patch" ,patch/pinned)))
     (arguments
      `(#:modules ((guix build utils)
                   (guix build lisp-utils))
diff --git a/guix/packages.scm b/guix/packages.scm
index abe89cdb07..f3a9a61785 100644
--- a/guix/packages.scm
+++ b/guix/packages.scm
@@ -899,7 +899,7 @@ identifiers.  The result is inferred from the file names of patches."
       ("gzip"  ,(ref '(gnu packages compression) 'gzip))
       ("lzip"  ,(ref '(gnu packages compression) 'lzip))
       ("unzip" ,(ref '(gnu packages compression) 'unzip))
-      ("patch" ,(ref '(gnu packages base) 'patch))
+      ("patch" ,(ref '(gnu packages base) 'patch/pinned))
       ("locales"
        ,(parameterize ((%current-target-system #f)
                        (%current-system system))