Merge branch 'bash-cve-2014-6271'

4 files changed, 95 insertions, 11 deletions

diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm
index 26dfe93099..a2952ceef5 100644
--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -23,7 +23,76 @@
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix utils)
-  #:use-module (guix build-system gnu))
+  #:use-module (guix build-system gnu)
+  #:autoload   (guix gnupg) (gnupg-verify*)
+  #:autoload   (guix hash) (port-sha256)
+  #:autoload   (guix base32) (bytevector->nix-base32-string)
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-26)
+  #:use-module (ice-9 format))
+
+(define (patch-url seqno)
+  "Return the URL of Bash patch number SEQNO."
+  (format #f "mirror://gnu/bash/bash-4.3-patches/bash43-~3,'0d" seqno))
+
+(define (bash-patch seqno sha256)
+  "Return the origin of Bash patch SEQNO, with expected hash SHA256"
+  (origin
+    (method url-fetch)
+    (uri (patch-url seqno))
+    (sha256 sha256)))
+
+(define-syntax-rule (patch-series (seqno hash) ...)
+  (list (bash-patch seqno (base32 hash))
+        ...))
+
+(define %patch-series-4.3
+  ;; This is the current patches series for 4.3, generated using
+  ;; 'download-patches' below.
+  (patch-series
+   (1 "0hip2n2s5hws8p4nfcz37379zn6cak83ljsm64z52rw6ckrdzczc")
+   (2 "0ashj5d1g3zbyr7zf0r72s5wnk96cz1xj919y3jajadbc9qcvrzf")
+   (3 "0z88q4daq7dmw93iqd9c5i5d1sndklih3nrh0v75746da2n6w3h0")
+   (4 "0f0kh9j5k4ym6knshscx31przm50x5cc7ifkwqk0swh6clna982y")
+   (5 "1ym3b8b7lgmdp3dklp8qaqhyq965wd5392namq8mz7rb0d231j0s")
+   (6 "04q20igq49py49ynb0f83f6f52cdkyqwd9bpic6akr0m5pkqwr50")
+   (7 "18zkz23d9myshrwfcwcdjk7qmkqp8az5n91ni9jaixlwqlhy64qi")
+   (8 "0pprcwvh7ngdli0x95pc1cpssg4qg7layi9xrv2jq6c7965ajhcr")
+   (9 "19a0pf0alp30d1bjj0zf3zq2f5n0s6y91w7brm9jyswl51kns8n0")
+   (10 "1dzhr5ammyijisz48cqi5vaw26hfr5vh9smnqxq4qc9p06f7j1ff")
+   (11 "0fvzdzzi142a8rf3v965r6gbpn0k7fv2gif1yq8a4160vcn40qvw")
+   (12 "04lcgfcyz7p3zagb4hkia3hkpd7lii9m8ycy9qqwzyrm1c1pj4ry")
+   (13 "0y9cqi378z6flapkd5k5lfl4lq3ivzg4njj3i3wmw7xb6r9wma5z")
+   (14 "04xcb0k9fxxq4vashgzb98567xzdnm4655nlm4jvfvjv6si6ykas")
+   (15 "13ay6lldy1p00xj41nfjpq8lai3vw2qwca79gx6s80z04j53wa8k")
+   (16 "0wq7bvx3pfw90pnfb86yg5nr9jgjsvm2nq5rrkqxf6zn977hpmlj")
+   (17 "103p7sibihv6cshqj12k546zsbz0dnd5cv5vlx1719avddfc4rqj")
+   (18 "0n1x3812y1brb9xbabaj3fvr4cpvm2225iwckmqk2fcpkq5b9a3s")
+   (19 "08rd1p7zpzgbpmmmnj2im8wj2pcwmbbx51psr9vdc5c049si9ad7")
+   (20 "163c6g05qpag2plx5q795pmw3f3m904jy7z93xj2i08pgzc8cpna")
+   (21 "1a90cl3h10dh8k9f2ddrsjmw5ywaw2d5x78xb4fd2sryi039yhs1")
+   (22 "120s0s4qcqd0q12j1iv0hkpf9fp3w5jnqw646kv66n66jnxlfkgx")
+   (23 "1m00sfi88p2akgiyrg4hw0gvz3s1586pkzjdr3dm73vs773m1hls")
+   (24 "0v0gjqzjsqjfgj5x17fq7g649k94jn8zq92qsxkhc2d6l215hl1v")
+   (25 "0lcj96i659q35f1jcmwwbnw3p7w7vvlxjxqi989vn6d6qksqcl8y"))) ;CVE-2014-6271
+
+(define (download-patches store count)
+  "Download COUNT Bash patches into store.  Return a list of
+number/base32-hash tuples, directly usable in the 'patch-series' form."
+  (unfold (cut > <> count)
+          (lambda (number)
+            (let* ((patch  (download-to-store store (patch-url number)))
+                   (sig    (download-to-store store
+                                              (string-append (patch-url number)
+                                                             ".sig"))))
+              (unless (gnupg-verify* sig patch)
+                (error "failed to verify signature" patch))
+
+              (list number
+                    (bytevector->nix-base32-string
+                     (call-with-input-file patch port-sha256)))))
+          1+
+          1))
 
 (define-public bash
   (let* ((cppflags (string-join '("-DSYS_BASHRC='\"/etc/bashrc\"'"
@@ -48,17 +117,21 @@
              ;; Add a `bash' -> `sh' link.
              (let ((out (assoc-ref outputs "out")))
                (with-directory-excursion (string-append out "/bin")
-                 (symlink "bash" "sh"))))))
+                 (symlink "bash" "sh")))))
+         (version "4.3"))
     (package
      (name "bash")
-     (version "4.3")
      (source (origin
               (method url-fetch)
               (uri (string-append
                     "mirror://gnu/bash/bash-" version ".tar.gz"))
               (sha256
                (base32
-                "1m14s1f61mf6bijfibcjm9y6pkyvz6gibyl8p4hxq90fisi8gimg"))))
+                "1m14s1f61mf6bijfibcjm9y6pkyvz6gibyl8p4hxq90fisi8gimg"))
+              (patch-flags '("-p0"))
+              (patches %patch-series-4.3)))
+     (version (string-append version "."
+                             (number->string (length %patch-series-4.3))))
      (build-system gnu-build-system)
      (inputs `(("readline" ,readline)
                ("ncurses" ,ncurses)))             ; TODO: add texinfo
diff --git a/gnu/packages/bootstrap.scm b/gnu/packages/bootstrap.scm
index 981cde9f2b..71ccb19597 100644
--- a/gnu/packages/bootstrap.scm
+++ b/gnu/packages/bootstrap.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -78,7 +78,14 @@
                      (boot url-fetch))
                     (else orig-method)))
       (patch-guile %bootstrap-guile)
-      (patch-inputs %bootstrap-patch-inputs))))
+      (patch-inputs %bootstrap-patch-inputs)
+
+      ;; Patches can be origins as well, so process them.
+      (patches (map (match-lambda
+                     ((? origin? patch)
+                      (bootstrap-origin patch))
+                     (patch patch))
+                    (origin-patches source))))))
 
 (define (package-from-tarball name source program-to-test description)
   "Return a package that correspond to the extraction of SOURCE.
diff --git a/guix/gnupg.scm b/guix/gnupg.scm
index 29ddc78e27..d1d8b377e1 100644
--- a/guix/gnupg.scm
+++ b/guix/gnupg.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2010, 2011, 2013 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2010, 2011, 2013, 2014 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -54,7 +54,7 @@
     ;; See file `doc/DETAILS' in GnuPG.
     (define sigid-rx
       (make-regexp
-       "^\\[GNUPG:\\] SIG_ID ([A-Za-z0-9/]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+)"))
+       "^\\[GNUPG:\\] SIG_ID ([A-Za-z0-9+/]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+)"))
     (define goodsig-rx
       (make-regexp "^\\[GNUPG:\\] GOODSIG ([[:xdigit:]]+) (.+)$"))
     (define validsig-rx
diff --git a/guix/packages.scm b/guix/packages.scm
index b4fc026dbb..97a2464309 100644
--- a/guix/packages.scm
+++ b/guix/packages.scm
@@ -345,8 +345,12 @@ IMPORTED-MODULES specify modules to use/import for use by SNIPPET."
   (define patch-inputs
     (map (lambda (number patch)
            (list (string-append "patch" (number->string number))
-                 (add-to-store store (basename patch) #t
-                               "sha256" patch)))
+                 (match patch
+                   ((? string?)
+                    (add-to-store store (basename patch) #t
+                                  "sha256" patch))
+                   ((? origin?)
+                    (package-source-derivation store patch)))))
          (iota (length patches))
 
          patches))