Merge branch 'bash-cve-2014-6271'

This commit is contained in:
Ludovic Courtès 2014-09-26 09:49:09 +02:00
commit b5c5d763ca
4 changed files with 95 additions and 11 deletions

View File

@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU ;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2012, 2013 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2012, 2013, 2014 Ludovic Courtès <ludo@gnu.org>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -23,7 +23,76 @@
#:use-module (guix packages) #:use-module (guix packages)
#:use-module (guix download) #:use-module (guix download)
#:use-module (guix utils) #:use-module (guix utils)
#:use-module (guix build-system gnu)) #:use-module (guix build-system gnu)
#:autoload (guix gnupg) (gnupg-verify*)
#:autoload (guix hash) (port-sha256)
#:autoload (guix base32) (bytevector->nix-base32-string)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-26)
#:use-module (ice-9 format))
(define (patch-url seqno)
"Return the URL of Bash patch number SEQNO."
(format #f "mirror://gnu/bash/bash-4.3-patches/bash43-~3,'0d" seqno))
(define (bash-patch seqno sha256)
"Return the origin of Bash patch SEQNO, with expected hash SHA256"
(origin
(method url-fetch)
(uri (patch-url seqno))
(sha256 sha256)))
(define-syntax-rule (patch-series (seqno hash) ...)
(list (bash-patch seqno (base32 hash))
...))
(define %patch-series-4.3
;; This is the current patches series for 4.3, generated using
;; 'download-patches' below.
(patch-series
(1 "0hip2n2s5hws8p4nfcz37379zn6cak83ljsm64z52rw6ckrdzczc")
(2 "0ashj5d1g3zbyr7zf0r72s5wnk96cz1xj919y3jajadbc9qcvrzf")
(3 "0z88q4daq7dmw93iqd9c5i5d1sndklih3nrh0v75746da2n6w3h0")
(4 "0f0kh9j5k4ym6knshscx31przm50x5cc7ifkwqk0swh6clna982y")
(5 "1ym3b8b7lgmdp3dklp8qaqhyq965wd5392namq8mz7rb0d231j0s")
(6 "04q20igq49py49ynb0f83f6f52cdkyqwd9bpic6akr0m5pkqwr50")
(7 "18zkz23d9myshrwfcwcdjk7qmkqp8az5n91ni9jaixlwqlhy64qi")
(8 "0pprcwvh7ngdli0x95pc1cpssg4qg7layi9xrv2jq6c7965ajhcr")
(9 "19a0pf0alp30d1bjj0zf3zq2f5n0s6y91w7brm9jyswl51kns8n0")
(10 "1dzhr5ammyijisz48cqi5vaw26hfr5vh9smnqxq4qc9p06f7j1ff")
(11 "0fvzdzzi142a8rf3v965r6gbpn0k7fv2gif1yq8a4160vcn40qvw")
(12 "04lcgfcyz7p3zagb4hkia3hkpd7lii9m8ycy9qqwzyrm1c1pj4ry")
(13 "0y9cqi378z6flapkd5k5lfl4lq3ivzg4njj3i3wmw7xb6r9wma5z")
(14 "04xcb0k9fxxq4vashgzb98567xzdnm4655nlm4jvfvjv6si6ykas")
(15 "13ay6lldy1p00xj41nfjpq8lai3vw2qwca79gx6s80z04j53wa8k")
(16 "0wq7bvx3pfw90pnfb86yg5nr9jgjsvm2nq5rrkqxf6zn977hpmlj")
(17 "103p7sibihv6cshqj12k546zsbz0dnd5cv5vlx1719avddfc4rqj")
(18 "0n1x3812y1brb9xbabaj3fvr4cpvm2225iwckmqk2fcpkq5b9a3s")
(19 "08rd1p7zpzgbpmmmnj2im8wj2pcwmbbx51psr9vdc5c049si9ad7")
(20 "163c6g05qpag2plx5q795pmw3f3m904jy7z93xj2i08pgzc8cpna")
(21 "1a90cl3h10dh8k9f2ddrsjmw5ywaw2d5x78xb4fd2sryi039yhs1")
(22 "120s0s4qcqd0q12j1iv0hkpf9fp3w5jnqw646kv66n66jnxlfkgx")
(23 "1m00sfi88p2akgiyrg4hw0gvz3s1586pkzjdr3dm73vs773m1hls")
(24 "0v0gjqzjsqjfgj5x17fq7g649k94jn8zq92qsxkhc2d6l215hl1v")
(25 "0lcj96i659q35f1jcmwwbnw3p7w7vvlxjxqi989vn6d6qksqcl8y"))) ;CVE-2014-6271
(define (download-patches store count)
"Download COUNT Bash patches into store. Return a list of
number/base32-hash tuples, directly usable in the 'patch-series' form."
(unfold (cut > <> count)
(lambda (number)
(let* ((patch (download-to-store store (patch-url number)))
(sig (download-to-store store
(string-append (patch-url number)
".sig"))))
(unless (gnupg-verify* sig patch)
(error "failed to verify signature" patch))
(list number
(bytevector->nix-base32-string
(call-with-input-file patch port-sha256)))))
1+
1))
(define-public bash (define-public bash
(let* ((cppflags (string-join '("-DSYS_BASHRC='\"/etc/bashrc\"'" (let* ((cppflags (string-join '("-DSYS_BASHRC='\"/etc/bashrc\"'"
@ -48,17 +117,21 @@
;; Add a `bash' -> `sh' link. ;; Add a `bash' -> `sh' link.
(let ((out (assoc-ref outputs "out"))) (let ((out (assoc-ref outputs "out")))
(with-directory-excursion (string-append out "/bin") (with-directory-excursion (string-append out "/bin")
(symlink "bash" "sh")))))) (symlink "bash" "sh")))))
(version "4.3"))
(package (package
(name "bash") (name "bash")
(version "4.3")
(source (origin (source (origin
(method url-fetch) (method url-fetch)
(uri (string-append (uri (string-append
"mirror://gnu/bash/bash-" version ".tar.gz")) "mirror://gnu/bash/bash-" version ".tar.gz"))
(sha256 (sha256
(base32 (base32
"1m14s1f61mf6bijfibcjm9y6pkyvz6gibyl8p4hxq90fisi8gimg")))) "1m14s1f61mf6bijfibcjm9y6pkyvz6gibyl8p4hxq90fisi8gimg"))
(patch-flags '("-p0"))
(patches %patch-series-4.3)))
(version (string-append version "."
(number->string (length %patch-series-4.3))))
(build-system gnu-build-system) (build-system gnu-build-system)
(inputs `(("readline" ,readline) (inputs `(("readline" ,readline)
("ncurses" ,ncurses))) ; TODO: add texinfo ("ncurses" ,ncurses))) ; TODO: add texinfo

View File

@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU ;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2012, 2013 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2012, 2013, 2014 Ludovic Courtès <ludo@gnu.org>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -78,7 +78,14 @@
(boot url-fetch)) (boot url-fetch))
(else orig-method))) (else orig-method)))
(patch-guile %bootstrap-guile) (patch-guile %bootstrap-guile)
(patch-inputs %bootstrap-patch-inputs)))) (patch-inputs %bootstrap-patch-inputs)
;; Patches can be origins as well, so process them.
(patches (map (match-lambda
((? origin? patch)
(bootstrap-origin patch))
(patch patch))
(origin-patches source))))))
(define (package-from-tarball name source program-to-test description) (define (package-from-tarball name source program-to-test description)
"Return a package that correspond to the extraction of SOURCE. "Return a package that correspond to the extraction of SOURCE.

View File

@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU ;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2010, 2011, 2013 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2010, 2011, 2013, 2014 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org> ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
@ -54,7 +54,7 @@
;; See file `doc/DETAILS' in GnuPG. ;; See file `doc/DETAILS' in GnuPG.
(define sigid-rx (define sigid-rx
(make-regexp (make-regexp
"^\\[GNUPG:\\] SIG_ID ([A-Za-z0-9/]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+)")) "^\\[GNUPG:\\] SIG_ID ([A-Za-z0-9+/]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+)"))
(define goodsig-rx (define goodsig-rx
(make-regexp "^\\[GNUPG:\\] GOODSIG ([[:xdigit:]]+) (.+)$")) (make-regexp "^\\[GNUPG:\\] GOODSIG ([[:xdigit:]]+) (.+)$"))
(define validsig-rx (define validsig-rx

View File

@ -345,8 +345,12 @@ IMPORTED-MODULES specify modules to use/import for use by SNIPPET."
(define patch-inputs (define patch-inputs
(map (lambda (number patch) (map (lambda (number patch)
(list (string-append "patch" (number->string number)) (list (string-append "patch" (number->string number))
(match patch
((? string?)
(add-to-store store (basename patch) #t (add-to-store store (basename patch) #t
"sha256" patch))) "sha256" patch))
((? origin?)
(package-source-derivation store patch)))))
(iota (length patches)) (iota (length patches))
patches)) patches))