From 3f6f7b36d3bc919600cc35b5467c13634f9e4d53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Wed, 24 Sep 2014 19:07:22 +0200 Subject: [PATCH 1/4] packages: Allow use of origins as patches. * guix/packages.scm (patch-and-repack)[patch-inputs]: Use 'add-to-store' only if the PATCH is a file name, and 'package-source-derivation' if PATCH is an origin. --- guix/packages.scm | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/guix/packages.scm b/guix/packages.scm index b4fc026dbb..97a2464309 100644 --- a/guix/packages.scm +++ b/guix/packages.scm @@ -345,8 +345,12 @@ IMPORTED-MODULES specify modules to use/import for use by SNIPPET." (define patch-inputs (map (lambda (number patch) (list (string-append "patch" (number->string number)) - (add-to-store store (basename patch) #t - "sha256" patch))) + (match patch + ((? string?) + (add-to-store store (basename patch) #t + "sha256" patch)) + ((? origin?) + (package-source-derivation store patch))))) (iota (length patches)) patches)) From 27afb11a2284aaea187897c0fe32e1d50b49d654 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Wed, 24 Sep 2014 19:08:03 +0200 Subject: [PATCH 2/4] gnupg: Correctly parse current 'SIG_ID' lines. * guix/gnupg.scm (gnupg-verify)[sigid-rx]: Adjust to handle current signature ID encoding. --- guix/gnupg.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/guix/gnupg.scm b/guix/gnupg.scm index 29ddc78e27..d1d8b377e1 100644 --- a/guix/gnupg.scm +++ b/guix/gnupg.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2010, 2011, 2013 Ludovic Courtès +;;; Copyright © 2010, 2011, 2013, 2014 Ludovic Courtès ;;; Copyright © 2013 Nikita Karetnikov ;;; ;;; This file is part of GNU Guix. @@ -54,7 +54,7 @@ ;; See file `doc/DETAILS' in GnuPG. (define sigid-rx (make-regexp - "^\\[GNUPG:\\] SIG_ID ([A-Za-z0-9/]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+)")) + "^\\[GNUPG:\\] SIG_ID ([A-Za-z0-9+/]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+)")) (define goodsig-rx (make-regexp "^\\[GNUPG:\\] GOODSIG ([[:xdigit:]]+) (.+)$")) (define validsig-rx From ce517b20d4c80c5b59151fe20e887e3836f9dc57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Wed, 24 Sep 2014 19:08:54 +0200 Subject: [PATCH 3/4] gnu: bootstrap: Correctly handle patches that are origins. * gnu/packages/bootstrap.scm (bootstrap-origin): Rewrite the patches of SOURCES that are also origins. --- gnu/packages/bootstrap.scm | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/gnu/packages/bootstrap.scm b/gnu/packages/bootstrap.scm index 981cde9f2b..71ccb19597 100644 --- a/gnu/packages/bootstrap.scm +++ b/gnu/packages/bootstrap.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012, 2013 Ludovic Courtès +;;; Copyright © 2012, 2013, 2014 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -78,7 +78,14 @@ (boot url-fetch)) (else orig-method))) (patch-guile %bootstrap-guile) - (patch-inputs %bootstrap-patch-inputs)))) + (patch-inputs %bootstrap-patch-inputs) + + ;; Patches can be origins as well, so process them. + (patches (map (match-lambda + ((? origin? patch) + (bootstrap-origin patch)) + (patch patch)) + (origin-patches source)))))) (define (package-from-tarball name source program-to-test description) "Return a package that correspond to the extraction of SOURCE. From c1fe82d5866b9271d92266517b2941850e6bbbd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Wed, 24 Sep 2014 19:19:03 +0200 Subject: [PATCH 4/4] gnu: bash: Apply patch series up to 25 [CVE-2014-6271]. * gnu/packages/bash.scm (patch-url, bash-patch): New procedures. (patch-series): New macro. (%patch-series-4.3): New variable. (download-patches): New procedure. (bash): Change version to include the patch level; pass %PATCH-SERIES-4.3 in the origin. --- gnu/packages/bash.scm | 83 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 78 insertions(+), 5 deletions(-) diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm index 26dfe93099..a2952ceef5 100644 --- a/gnu/packages/bash.scm +++ b/gnu/packages/bash.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012, 2013 Ludovic Courtès +;;; Copyright © 2012, 2013, 2014 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -23,7 +23,76 @@ #:use-module (guix packages) #:use-module (guix download) #:use-module (guix utils) - #:use-module (guix build-system gnu)) + #:use-module (guix build-system gnu) + #:autoload (guix gnupg) (gnupg-verify*) + #:autoload (guix hash) (port-sha256) + #:autoload (guix base32) (bytevector->nix-base32-string) + #:use-module (srfi srfi-1) + #:use-module (srfi srfi-26) + #:use-module (ice-9 format)) + +(define (patch-url seqno) + "Return the URL of Bash patch number SEQNO." + (format #f "mirror://gnu/bash/bash-4.3-patches/bash43-~3,'0d" seqno)) + +(define (bash-patch seqno sha256) + "Return the origin of Bash patch SEQNO, with expected hash SHA256" + (origin + (method url-fetch) + (uri (patch-url seqno)) + (sha256 sha256))) + +(define-syntax-rule (patch-series (seqno hash) ...) + (list (bash-patch seqno (base32 hash)) + ...)) + +(define %patch-series-4.3 + ;; This is the current patches series for 4.3, generated using + ;; 'download-patches' below. + (patch-series + (1 "0hip2n2s5hws8p4nfcz37379zn6cak83ljsm64z52rw6ckrdzczc") + (2 "0ashj5d1g3zbyr7zf0r72s5wnk96cz1xj919y3jajadbc9qcvrzf") + (3 "0z88q4daq7dmw93iqd9c5i5d1sndklih3nrh0v75746da2n6w3h0") + (4 "0f0kh9j5k4ym6knshscx31przm50x5cc7ifkwqk0swh6clna982y") + (5 "1ym3b8b7lgmdp3dklp8qaqhyq965wd5392namq8mz7rb0d231j0s") + (6 "04q20igq49py49ynb0f83f6f52cdkyqwd9bpic6akr0m5pkqwr50") + (7 "18zkz23d9myshrwfcwcdjk7qmkqp8az5n91ni9jaixlwqlhy64qi") + (8 "0pprcwvh7ngdli0x95pc1cpssg4qg7layi9xrv2jq6c7965ajhcr") + (9 "19a0pf0alp30d1bjj0zf3zq2f5n0s6y91w7brm9jyswl51kns8n0") + (10 "1dzhr5ammyijisz48cqi5vaw26hfr5vh9smnqxq4qc9p06f7j1ff") + (11 "0fvzdzzi142a8rf3v965r6gbpn0k7fv2gif1yq8a4160vcn40qvw") + (12 "04lcgfcyz7p3zagb4hkia3hkpd7lii9m8ycy9qqwzyrm1c1pj4ry") + (13 "0y9cqi378z6flapkd5k5lfl4lq3ivzg4njj3i3wmw7xb6r9wma5z") + (14 "04xcb0k9fxxq4vashgzb98567xzdnm4655nlm4jvfvjv6si6ykas") + (15 "13ay6lldy1p00xj41nfjpq8lai3vw2qwca79gx6s80z04j53wa8k") + (16 "0wq7bvx3pfw90pnfb86yg5nr9jgjsvm2nq5rrkqxf6zn977hpmlj") + (17 "103p7sibihv6cshqj12k546zsbz0dnd5cv5vlx1719avddfc4rqj") + (18 "0n1x3812y1brb9xbabaj3fvr4cpvm2225iwckmqk2fcpkq5b9a3s") + (19 "08rd1p7zpzgbpmmmnj2im8wj2pcwmbbx51psr9vdc5c049si9ad7") + (20 "163c6g05qpag2plx5q795pmw3f3m904jy7z93xj2i08pgzc8cpna") + (21 "1a90cl3h10dh8k9f2ddrsjmw5ywaw2d5x78xb4fd2sryi039yhs1") + (22 "120s0s4qcqd0q12j1iv0hkpf9fp3w5jnqw646kv66n66jnxlfkgx") + (23 "1m00sfi88p2akgiyrg4hw0gvz3s1586pkzjdr3dm73vs773m1hls") + (24 "0v0gjqzjsqjfgj5x17fq7g649k94jn8zq92qsxkhc2d6l215hl1v") + (25 "0lcj96i659q35f1jcmwwbnw3p7w7vvlxjxqi989vn6d6qksqcl8y"))) ;CVE-2014-6271 + +(define (download-patches store count) + "Download COUNT Bash patches into store. Return a list of +number/base32-hash tuples, directly usable in the 'patch-series' form." + (unfold (cut > <> count) + (lambda (number) + (let* ((patch (download-to-store store (patch-url number))) + (sig (download-to-store store + (string-append (patch-url number) + ".sig")))) + (unless (gnupg-verify* sig patch) + (error "failed to verify signature" patch)) + + (list number + (bytevector->nix-base32-string + (call-with-input-file patch port-sha256))))) + 1+ + 1)) (define-public bash (let* ((cppflags (string-join '("-DSYS_BASHRC='\"/etc/bashrc\"'" @@ -48,17 +117,21 @@ ;; Add a `bash' -> `sh' link. (let ((out (assoc-ref outputs "out"))) (with-directory-excursion (string-append out "/bin") - (symlink "bash" "sh")))))) + (symlink "bash" "sh"))))) + (version "4.3")) (package (name "bash") - (version "4.3") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/bash/bash-" version ".tar.gz")) (sha256 (base32 - "1m14s1f61mf6bijfibcjm9y6pkyvz6gibyl8p4hxq90fisi8gimg")))) + "1m14s1f61mf6bijfibcjm9y6pkyvz6gibyl8p4hxq90fisi8gimg")) + (patch-flags '("-p0")) + (patches %patch-series-4.3))) + (version (string-append version "." + (number->string (length %patch-series-4.3)))) (build-system gnu-build-system) (inputs `(("readline" ,readline) ("ncurses" ,ncurses))) ; TODO: add texinfo