diff options
Diffstat (limited to 'gnu/packages/bash.scm')
| -rw-r--r-- | gnu/packages/bash.scm | 49 |
1 files changed, 46 insertions, 3 deletions
diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm index d328d711d1..c121fd84d6 100644 --- a/gnu/packages/bash.scm +++ b/gnu/packages/bash.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2015 Leo Famulari <leo@famulari.name> ;;; @@ -28,6 +28,9 @@ #:use-module (guix packages) #:use-module (guix download) #:use-module (guix utils) + #:use-module (guix gexp) + #:use-module (guix monads) + #:use-module (guix store) #:use-module (guix build-system gnu) #:autoload (guix gnupg) (gnupg-verify*) #:autoload (guix hash) (port-sha256) @@ -38,7 +41,7 @@ (define (patch-url seqno) "Return the URL of Bash patch number SEQNO." - (format #f "mirror://gnu/bash/bash-4.3-patches/bash43-~3,'0d" seqno)) + (format #f "mirror://gnu/bash/bash-4.4-patches/bash44-~3,'0d" seqno)) (define (bash-patch seqno sha256) "Return the origin of Bash patch SEQNO, with expected hash SHA256" @@ -95,6 +98,7 @@ number/base32-hash tuples, directly usable in the 'patch-series' form." (version "4.4")) (package (name "bash") + (replacement bash/fixed) (source (origin (method url-fetch) (uri (string-append @@ -181,6 +185,7 @@ without modification.") ;; A stripped-down Bash for non-interactive use. (package (inherit bash) (name "bash-minimal") + (replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion (inputs '()) ; no readline, no curses ;; No "include" output because there's no support for loadable modules. @@ -207,7 +212,8 @@ without modification.") "ac_cv_func_dlopen=no" ,@(if (%current-target-system) - '("bash_cv_job_control_missing=no") + '("bash_cv_job_control_missing=no" + "bash_cv_getcwd_malloc=yes") '()))) ((#:phases phases) `(modify-phases ,phases @@ -235,6 +241,43 @@ without modification.") (delete-file-recursively (string-append out "/share")) #t)))))))))) +(define* (url-fetch/reset-patch-level url hash-algo hash + #:optional name + #:key (system (%current-system)) guile) + "Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it +can apply to a patch-level 0 Bash." + (mlet* %store-monad ((name -> (or name (basename url))) + (patch (url-fetch url hash-algo hash + (string-append name ".orig") + #:system system + #:guile guile))) + (gexp->derivation name + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (copy-file #$patch #$output) + (substitute* #$output + (("PATCHLEVEL [0-6]+") + "PATCHLEVEL 0")))) + #:guile-for-build guile + #:system system))) + +(define bash/fixed ;CVE-2017-5932 (RCE with completion) + (package + (inherit bash) + (version "4.4.A") ;4.4.0 + patch #7 + (replacement #f) + (source + (origin + (inherit (package-source bash)) + (patches (cons (origin + (method url-fetch/reset-patch-level) + (uri (patch-url 7)) + (sha256 + (base32 + "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y"))) + (origin-patches (package-source bash)))))))) + (define-public bash-completion (package (name "bash-completion") |