gnu: bash: Update to 4.3.27 and fix out-of-bounds memory accesses.

Based on a patch by Ludovic Courtès <ludo@gnu.org>. * gnu/packages/bash.scm (%patch-series-4.3): Add two patches. (bash)[source]: Add parser-oob patch. Add 'snippet'. [native-inputs]: New field. * gnu/packages/commencement.scm (bison-boot1): New variable. (static-bash-for-glibc): Add 'native-inputs'. Co-Authored-By: Ludovic Courtès <ludo@gnu.org>
2014-09-28 01:48:58 -04:00 · 2014-09-28 01:48:58 -04:00 · 2d5d63d718
parent b5f4bb855d
commit 2d5d63d718
2 changed files with 43 additions and 3 deletions
--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@ -20,6 +20,7 @@
  #:use-module (guix licenses)
  #:use-module (gnu packages ncurses)
  #:use-module (gnu packages readline)
+  #:use-module (gnu packages bison)
  #:use-module (guix packages)
  #:use-module (guix download)
  #:use-module (guix utils)
@ -74,7 +75,9 @@
   (22 "120s0s4qcqd0q12j1iv0hkpf9fp3w5jnqw646kv66n66jnxlfkgx")
   (23 "1m00sfi88p2akgiyrg4hw0gvz3s1586pkzjdr3dm73vs773m1hls")
   (24 "0v0gjqzjsqjfgj5x17fq7g649k94jn8zq92qsxkhc2d6l215hl1v")
-   (25 "0lcj96i659q35f1jcmwwbnw3p7w7vvlxjxqi989vn6d6qksqcl8y"))) ;CVE-2014-6271
+   (25 "0lcj96i659q35f1jcmwwbnw3p7w7vvlxjxqi989vn6d6qksqcl8y") ;CVE-2014-6271
+   (26 "0k919ir0inwn4wai2vdzpbwqq5h54fnrlkmgccxjg91v3ch15k1f") ;CVE-2014-7169
+   (27 "1gnsfvq6bhb3srlbh0cannj2hackdsipcg7z0ds7zlk1hp96mdqy")))

 (define (download-patches store count)
  "Download COUNT Bash patches into store.  Return a list of
@ -129,12 +132,29 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
               (base32
                "1m14s1f61mf6bijfibcjm9y6pkyvz6gibyl8p4hxq90fisi8gimg"))
              (patch-flags '("-p0"))
-              (patches %patch-series-4.3)))
+              (patches
+               (append
+                %patch-series-4.3
+                (list
+                 ;; Fix out-of-bound memory accesses.
+                 ;; See <http://seclists.org/oss-sec/2014/q3/712>.
+                 (origin
+                   (method url-fetch)
+                   (uri "http://seclists.org/oss-sec/2014/q3/att-712/parser-oob-4_2.patch")
+                   (sha256
+                    (base32
+                     "1zc26qv76ch2l7pxyzcw0b0bpdsr65g9hrrl2gpw6k9kq2sjvc36"))))))
+
+              ;; The patches above modify 'parse.y', so force a rebuild of the
+              ;; parser.
+              (snippet '(for-each delete-file
+                                  '("y.tab.c" "y.tab.h" "parser-built")))))
     (version (string-append version "."
                             (number->string (length %patch-series-4.3))))
     (build-system gnu-build-system)
+     (native-inputs `(("bison" ,bison)))          ;to rebuild the parser
     (inputs `(("readline" ,readline)
-               ("ncurses" ,ncurses)))             ; TODO: add texinfo
+               ("ncurses" ,ncurses)))             ;TODO: add texinfo
     (arguments
      `(;; When cross-compiling, `configure' incorrectly guesses that job
        ;; control is missing.
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@ -27,8 +27,10 @@
  #:use-module (gnu packages bash)
  #:use-module (gnu packages gcc)
  #:use-module (gnu packages ed)
+  #:use-module (gnu packages m4)
  #:use-module (gnu packages file)
  #:use-module (gnu packages gawk)
+  #:use-module (gnu packages bison)
  #:use-module (gnu packages guile)
  #:use-module (gnu packages multiprecision)
  #:use-module (gnu packages compression)
@ -396,6 +398,23 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
       ("bash" ,bash)))
    (inputs '())))

+(define bison-boot1
+  ;; XXX: This Bison is needed to rebuild Bash's parser, which is modified by
+  ;; its CVE patches.  Remove it when it's no longer needed.
+  (let* ((m4    (package-with-bootstrap-guile
+                 (package-with-explicit-inputs m4 %boot0-inputs
+                                               (current-source-location)
+                                               #:guile %bootstrap-guile)))
+         (bison (package (inherit bison)
+                  (native-inputs `(("perl" ,perl-boot0)))
+                  (propagated-inputs `(("m4" ,m4)))
+                  (inputs '())                    ;remove Flex...
+                  (arguments '(#:tests? #f)))))   ;... and thus disable tests
+   (package-with-bootstrap-guile
+    (package-with-explicit-inputs bison %boot0-inputs
+                                  (current-source-location)
+                                  #:guile %bootstrap-guile))))
+
 (define static-bash-for-glibc
  ;; A statically-linked Bash to be embedded in GLIBC-FINAL, for use by
  ;; system(3) & co.
@ -403,6 +422,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
                                  glibc-final-with-bootstrap-bash
                                  (car (assoc-ref %boot1-inputs "bash"))))
         (bash (package (inherit bash-light)
+                 (native-inputs `(("bison" ,bison-boot1)))
                 (arguments
                  `(#:guile ,%bootstrap-guile
                    ,@(package-arguments bash-light))))))