From 2d5d63d7180137cc4bc9527a8fb472173629731c Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Sun, 28 Sep 2014 01:48:58 -0400 Subject: gnu: bash: Update to 4.3.27 and fix out-of-bounds memory accesses. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Based on a patch by Ludovic Courtès . * gnu/packages/bash.scm (%patch-series-4.3): Add two patches. (bash)[source]: Add parser-oob patch. Add 'snippet'. [native-inputs]: New field. * gnu/packages/commencement.scm (bison-boot1): New variable. (static-bash-for-glibc): Add 'native-inputs'. Co-Authored-By: Ludovic Courtès --- gnu/packages/bash.scm | 26 +++++++++++++++++++++++--- gnu/packages/commencement.scm | 20 ++++++++++++++++++++ 2 files changed, 43 insertions(+), 3 deletions(-) diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm index a2952ceef5..d2f20735cb 100644 --- a/gnu/packages/bash.scm +++ b/gnu/packages/bash.scm @@ -20,6 +20,7 @@ #:use-module (guix licenses) #:use-module (gnu packages ncurses) #:use-module (gnu packages readline) + #:use-module (gnu packages bison) #:use-module (guix packages) #:use-module (guix download) #:use-module (guix utils) @@ -74,7 +75,9 @@ (22 "120s0s4qcqd0q12j1iv0hkpf9fp3w5jnqw646kv66n66jnxlfkgx") (23 "1m00sfi88p2akgiyrg4hw0gvz3s1586pkzjdr3dm73vs773m1hls") (24 "0v0gjqzjsqjfgj5x17fq7g649k94jn8zq92qsxkhc2d6l215hl1v") - (25 "0lcj96i659q35f1jcmwwbnw3p7w7vvlxjxqi989vn6d6qksqcl8y"))) ;CVE-2014-6271 + (25 "0lcj96i659q35f1jcmwwbnw3p7w7vvlxjxqi989vn6d6qksqcl8y") ;CVE-2014-6271 + (26 "0k919ir0inwn4wai2vdzpbwqq5h54fnrlkmgccxjg91v3ch15k1f") ;CVE-2014-7169 + (27 "1gnsfvq6bhb3srlbh0cannj2hackdsipcg7z0ds7zlk1hp96mdqy"))) (define (download-patches store count) "Download COUNT Bash patches into store. Return a list of @@ -129,12 +132,29 @@ number/base32-hash tuples, directly usable in the 'patch-series' form." (base32 "1m14s1f61mf6bijfibcjm9y6pkyvz6gibyl8p4hxq90fisi8gimg")) (patch-flags '("-p0")) - (patches %patch-series-4.3))) + (patches + (append + %patch-series-4.3 + (list + ;; Fix out-of-bound memory accesses. + ;; See . + (origin + (method url-fetch) + (uri "http://seclists.org/oss-sec/2014/q3/att-712/parser-oob-4_2.patch") + (sha256 + (base32 + "1zc26qv76ch2l7pxyzcw0b0bpdsr65g9hrrl2gpw6k9kq2sjvc36")))))) + + ;; The patches above modify 'parse.y', so force a rebuild of the + ;; parser. + (snippet '(for-each delete-file + '("y.tab.c" "y.tab.h" "parser-built"))))) (version (string-append version "." (number->string (length %patch-series-4.3)))) (build-system gnu-build-system) + (native-inputs `(("bison" ,bison))) ;to rebuild the parser (inputs `(("readline" ,readline) - ("ncurses" ,ncurses))) ; TODO: add texinfo + ("ncurses" ,ncurses))) ;TODO: add texinfo (arguments `(;; When cross-compiling, `configure' incorrectly guesses that job ;; control is missing. diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm index 79c22a5974..92ac090722 100644 --- a/gnu/packages/commencement.scm +++ b/gnu/packages/commencement.scm @@ -27,8 +27,10 @@ #:use-module (gnu packages bash) #:use-module (gnu packages gcc) #:use-module (gnu packages ed) + #:use-module (gnu packages m4) #:use-module (gnu packages file) #:use-module (gnu packages gawk) + #:use-module (gnu packages bison) #:use-module (gnu packages guile) #:use-module (gnu packages multiprecision) #:use-module (gnu packages compression) @@ -396,6 +398,23 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%" ("bash" ,bash))) (inputs '()))) +(define bison-boot1 + ;; XXX: This Bison is needed to rebuild Bash's parser, which is modified by + ;; its CVE patches. Remove it when it's no longer needed. + (let* ((m4 (package-with-bootstrap-guile + (package-with-explicit-inputs m4 %boot0-inputs + (current-source-location) + #:guile %bootstrap-guile))) + (bison (package (inherit bison) + (native-inputs `(("perl" ,perl-boot0))) + (propagated-inputs `(("m4" ,m4))) + (inputs '()) ;remove Flex... + (arguments '(#:tests? #f))))) ;... and thus disable tests + (package-with-bootstrap-guile + (package-with-explicit-inputs bison %boot0-inputs + (current-source-location) + #:guile %bootstrap-guile)))) + (define static-bash-for-glibc ;; A statically-linked Bash to be embedded in GLIBC-FINAL, for use by ;; system(3) & co. @@ -403,6 +422,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%" glibc-final-with-bootstrap-bash (car (assoc-ref %boot1-inputs "bash")))) (bash (package (inherit bash-light) + (native-inputs `(("bison" ,bison-boot1))) (arguments `(#:guile ,%bootstrap-guile ,@(package-arguments bash-light)))))) -- cgit v1.2.3