gnu: util-linux: Fix CVE-2018-7738.

* gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/linux.scm (util-linux)[replacement]: New field.
(util-linux/fixed): New variable.
This commit is contained in:
Leo Famulari 2018-03-15 13:57:48 -04:00
parent 5d818b3557
commit 77166eb758
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
3 changed files with 60 additions and 0 deletions

View File

@ -1135,6 +1135,7 @@ dist_patch_DATA = \
%D%/packages/patches/unzip-overflow-long-fsize.patch \ %D%/packages/patches/unzip-overflow-long-fsize.patch \
%D%/packages/patches/unzip-remove-build-date.patch \ %D%/packages/patches/unzip-remove-build-date.patch \
%D%/packages/patches/ustr-fix-build-with-gcc-5.patch \ %D%/packages/patches/ustr-fix-build-with-gcc-5.patch \
%D%/packages/patches/util-linux-CVE-2018-7738.patch \
%D%/packages/patches/util-linux-tests.patch \ %D%/packages/patches/util-linux-tests.patch \
%D%/packages/patches/upower-builddir.patch \ %D%/packages/patches/upower-builddir.patch \
%D%/packages/patches/valgrind-enable-arm.patch \ %D%/packages/patches/valgrind-enable-arm.patch \

View File

@ -547,6 +547,7 @@ providing the system administrator with some help in common tasks.")
(define-public util-linux (define-public util-linux
(package (package
(name "util-linux") (name "util-linux")
(replacement util-linux/fixed)
(version "2.31") (version "2.31")
(source (origin (source (origin
(method url-fetch) (method url-fetch)
@ -634,6 +635,15 @@ block devices, UUIDs, TTYs, and many other tools.")
(license (list license:gpl3+ license:gpl2+ license:gpl2 license:lgpl2.0+ (license (list license:gpl3+ license:gpl2+ license:gpl2 license:lgpl2.0+
license:bsd-4 license:public-domain)))) license:bsd-4 license:public-domain))))
(define util-linux/fixed
(package
(inherit util-linux)
(source
(origin
(inherit (package-source util-linux))
(patches (append (origin-patches (package-source util-linux))
(search-patches "util-linux-CVE-2018-7738.patch")))))))
(define-public ddate (define-public ddate
(package (package
(name "ddate") (name "ddate")

View File

@ -0,0 +1,49 @@
Fix CVE-2018-7738:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738
Patch copied from upstream source repository:
https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55
From 75f03badd7ed9f1dd951863d75e756883d3acc55 Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Thu, 16 Nov 2017 16:27:32 +0100
Subject: [PATCH] bash-completion: (umount) use findmnt, escape a space in
paths
# mount /dev/sdc1 /mnt/test/foo\ bar
# umount <tab>
has to return "/mnt/test/foo\ bar".
Changes:
* don't use mount | awk output, we have findmnt
* force compgen use \n as entries separator
Addresses: https://github.com/karelzak/util-linux/issues/539
Signed-off-by: Karel Zak <kzak@redhat.com>
---
bash-completion/umount | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/bash-completion/umount b/bash-completion/umount
index d76cb9fff..98c90d61a 100644
--- a/bash-completion/umount
+++ b/bash-completion/umount
@@ -40,9 +40,10 @@ _umount_module()
return 0
;;
esac
- local DEVS_MPOINTS
- DEVS_MPOINTS="$(mount | awk '{print $1, $3}')"
- COMPREPLY=( $(compgen -W "$DEVS_MPOINTS" -- $cur) )
- return 0
+
+ local oldifs=$IFS
+ IFS=$'\n'
+ COMPREPLY=( $( compgen -W '$(findmnt -lno TARGET | sed "s/\([[:blank:]]\)/\\\\\1/g")' -- "$cur" ) )
+ IFS=$oldifs
}
complete -F _umount_module umount