gnu: rush: Fix CVE-2013-6889.

* gnu/packages/patches/rush-CVE-2013-6889.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/rush.scm (rush): Use it.
2016-05-26 22:51:12 +02:00 · 2016-05-26 22:51:12 +02:00 · 2ca55f939c
parent f01c461994
commit 2ca55f939c
3 changed files with 27 additions and 2 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -717,6 +717,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/ripperx-missing-file.patch		\
  %D%/packages/patches/rsem-makefile.patch			\
  %D%/packages/patches/ruby-symlinkfix.patch                    \
+  %D%/packages/patches/rush-CVE-2013-6889.patch			\
  %D%/packages/patches/sed-hurd-path-max.patch			\
  %D%/packages/patches/scheme48-tests.patch			\
  %D%/packages/patches/scotch-test-threading.patch		\
--- a/gnu/packages/patches/rush-CVE-2013-6889.patch
+++ b/gnu/packages/patches/rush-CVE-2013-6889.patch
@ -0,0 +1,23 @@
+commit 00bdccd429517f12dbf37ab4397ddec3e51a2738
+Author: Mats Erik Andersson <gnu@gisladisker.se>
+Date:   Mon Jan 20 13:33:52 2014 +0200
+
+    Protect against CVE-2013-6889 (tiny change).
+    
+    Reset the effective user identification in testing mode.
+
+diff --git a/src/rush.c b/src/rush.c
+index 45d737a..dc6518e 100644
+--- a/src/rush.c
+++ b/src/rush.c
+@@ -980,6 +980,10 @@ main(int argc, char **argv)
+ 	} else if (argc > optind)
+ 		die(usage_error, NULL, _("invalid command line"));
+ 	
+	/* Relinquish root privileges in test mode */
+	if (lint_option)
+		setuid(getuid());
+	
+ 	if (test_user_name) {
+ 		struct passwd *pw = getpwnam(test_user_name);
+ 		if (!pw)
--- a/gnu/packages/rush.scm
+++ b/gnu/packages/rush.scm
@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@ -36,7 +36,8 @@
             (sha256
              (base32
               "0fh0gbbp0iiq3wbkf503xb40r8ljk42vyj9bnlflbz82d6ipy1rm"))
-             (patches (search-patches "cpio-gets-undeclared.patch"))))
+             (patches (search-patches "cpio-gets-undeclared.patch"
+                                      "rush-CVE-2013-6889.patch"))))
    (build-system gnu-build-system)
    (home-page "http://www.gnu.org/software/rush/")
    (synopsis "Restricted user (login) shell")