gnu: bash: Remove graft for CVE-2017-5932.
* gnu/packages/bash.scm (bash)[replacement]: Remove. (bash-minimal)[replacement]: Remove. (url-fetch/reset-patch-level, bash/fixed): Remove.
This commit is contained in:
parent
768f0ac9dd
commit
20c1b4b88d
|
@ -65,7 +65,7 @@
|
|||
(4 "1cy8abf96hkrjhw921ndr0shlcnc52bg45rn6xri4v5clhq0l25d")
|
||||
(5 "0a8515kyk4zsgmvlqvlganjfr7pq0j6kzpr4d6xx02kpbdr4n7i2")
|
||||
(6 "1f24wgqngmj2mrj9yibwvc2zvlmn5xi53mnw777g3l40c4m2x3ka")
|
||||
(7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")
|
||||
(7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y") ;CVE-2017-5932
|
||||
(8 "1firw915mjm03hbbw9a70ch3cpgrgnvqjpllgdnn6csr8q04f546")
|
||||
(9 "0g1l56kvw61rpw7dqa9fcl9llkl693h73g631hrhxlm030ddssqb")
|
||||
(10 "01lfhrkdsdkdz8ypzapr614ras23x7ckjnr60aa5bzkaqprccrc4")
|
||||
|
@ -110,7 +110,6 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
|
|||
(version "4.4"))
|
||||
(package
|
||||
(name "bash")
|
||||
(replacement bash/fixed)
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
(uri (string-append
|
||||
|
@ -204,7 +203,6 @@ without modification.")
|
|||
;; A stripped-down Bash for non-interactive use.
|
||||
(package (inherit bash)
|
||||
(name "bash-minimal")
|
||||
(replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion
|
||||
(inputs '()) ; no readline, no curses
|
||||
|
||||
;; No "include" output because there's no support for loadable modules.
|
||||
|
@ -260,43 +258,6 @@ without modification.")
|
|||
(delete-file-recursively (string-append out "/share"))
|
||||
#t))))))))))
|
||||
|
||||
(define* (url-fetch/reset-patch-level url hash-algo hash
|
||||
#:optional name
|
||||
#:key (system (%current-system)) guile)
|
||||
"Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it
|
||||
can apply to a patch-level 0 Bash."
|
||||
(mlet* %store-monad ((name -> (or name (basename url)))
|
||||
(patch (url-fetch url hash-algo hash
|
||||
(string-append name ".orig")
|
||||
#:system system
|
||||
#:guile guile)))
|
||||
(gexp->derivation name
|
||||
(with-imported-modules '((guix build utils))
|
||||
#~(begin
|
||||
(use-modules (guix build utils))
|
||||
(copy-file #$patch #$output)
|
||||
(substitute* #$output
|
||||
(("PATCHLEVEL [0-6]+")
|
||||
"PATCHLEVEL 0"))))
|
||||
#:guile-for-build guile
|
||||
#:system system)))
|
||||
|
||||
(define bash/fixed ;CVE-2017-5932 (RCE with completion)
|
||||
(package
|
||||
(inherit bash)
|
||||
(version "4.4.A") ;4.4.0 + patch #7
|
||||
(replacement #f)
|
||||
(source
|
||||
(origin
|
||||
(inherit (package-source bash))
|
||||
(patches (cons (origin
|
||||
(method url-fetch/reset-patch-level)
|
||||
(uri (patch-url 7))
|
||||
(sha256
|
||||
(base32
|
||||
"1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")))
|
||||
(origin-patches (package-source bash))))))))
|
||||
|
||||
(define-public bash-completion
|
||||
(package
|
||||
(name "bash-completion")
|
||||
|
|
Loading…
Reference in New Issue