gnu: bash: Remove graft for CVE-2017-5932.

* gnu/packages/bash.scm (bash)[replacement]: Remove.
(bash-minimal)[replacement]: Remove.
(url-fetch/reset-patch-level, bash/fixed): Remove.
This commit is contained in:
Ludovic Courtès 2017-02-10 17:44:31 +01:00
parent 768f0ac9dd
commit 20c1b4b88d
No known key found for this signature in database
GPG Key ID: 090B11993D9AEBB5
1 changed files with 1 additions and 40 deletions

View File

@ -65,7 +65,7 @@
(4 "1cy8abf96hkrjhw921ndr0shlcnc52bg45rn6xri4v5clhq0l25d") (4 "1cy8abf96hkrjhw921ndr0shlcnc52bg45rn6xri4v5clhq0l25d")
(5 "0a8515kyk4zsgmvlqvlganjfr7pq0j6kzpr4d6xx02kpbdr4n7i2") (5 "0a8515kyk4zsgmvlqvlganjfr7pq0j6kzpr4d6xx02kpbdr4n7i2")
(6 "1f24wgqngmj2mrj9yibwvc2zvlmn5xi53mnw777g3l40c4m2x3ka") (6 "1f24wgqngmj2mrj9yibwvc2zvlmn5xi53mnw777g3l40c4m2x3ka")
(7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y") (7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y") ;CVE-2017-5932
(8 "1firw915mjm03hbbw9a70ch3cpgrgnvqjpllgdnn6csr8q04f546") (8 "1firw915mjm03hbbw9a70ch3cpgrgnvqjpllgdnn6csr8q04f546")
(9 "0g1l56kvw61rpw7dqa9fcl9llkl693h73g631hrhxlm030ddssqb") (9 "0g1l56kvw61rpw7dqa9fcl9llkl693h73g631hrhxlm030ddssqb")
(10 "01lfhrkdsdkdz8ypzapr614ras23x7ckjnr60aa5bzkaqprccrc4") (10 "01lfhrkdsdkdz8ypzapr614ras23x7ckjnr60aa5bzkaqprccrc4")
@ -110,7 +110,6 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
(version "4.4")) (version "4.4"))
(package (package
(name "bash") (name "bash")
(replacement bash/fixed)
(source (origin (source (origin
(method url-fetch) (method url-fetch)
(uri (string-append (uri (string-append
@ -204,7 +203,6 @@ without modification.")
;; A stripped-down Bash for non-interactive use. ;; A stripped-down Bash for non-interactive use.
(package (inherit bash) (package (inherit bash)
(name "bash-minimal") (name "bash-minimal")
(replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion
(inputs '()) ; no readline, no curses (inputs '()) ; no readline, no curses
;; No "include" output because there's no support for loadable modules. ;; No "include" output because there's no support for loadable modules.
@ -260,43 +258,6 @@ without modification.")
(delete-file-recursively (string-append out "/share")) (delete-file-recursively (string-append out "/share"))
#t)))))))))) #t))))))))))
(define* (url-fetch/reset-patch-level url hash-algo hash
#:optional name
#:key (system (%current-system)) guile)
"Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it
can apply to a patch-level 0 Bash."
(mlet* %store-monad ((name -> (or name (basename url)))
(patch (url-fetch url hash-algo hash
(string-append name ".orig")
#:system system
#:guile guile)))
(gexp->derivation name
(with-imported-modules '((guix build utils))
#~(begin
(use-modules (guix build utils))
(copy-file #$patch #$output)
(substitute* #$output
(("PATCHLEVEL [0-6]+")
"PATCHLEVEL 0"))))
#:guile-for-build guile
#:system system)))
(define bash/fixed ;CVE-2017-5932 (RCE with completion)
(package
(inherit bash)
(version "4.4.A") ;4.4.0 + patch #7
(replacement #f)
(source
(origin
(inherit (package-source bash))
(patches (cons (origin
(method url-fetch/reset-patch-level)
(uri (patch-url 7))
(sha256
(base32
"1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")))
(origin-patches (package-source bash))))))))
(define-public bash-completion (define-public bash-completion
(package (package
(name "bash-completion") (name "bash-completion")