aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/bash.scm
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2017-02-10 17:44:31 +0100
committerLudovic Courtès <ludo@gnu.org>2017-02-10 17:44:31 +0100
commit20c1b4b88d396b6261660e2fda03229094cce62d (patch)
treea2157ff1986b8697c2d6e7d031e9b93f652be16c /gnu/packages/bash.scm
parent768f0ac9dd9993827430d62d0f72a5020f476892 (diff)
downloadguix-20c1b4b88d396b6261660e2fda03229094cce62d.tar
guix-20c1b4b88d396b6261660e2fda03229094cce62d.tar.gz
gnu: bash: Remove graft for CVE-2017-5932.
* gnu/packages/bash.scm (bash)[replacement]: Remove. (bash-minimal)[replacement]: Remove. (url-fetch/reset-patch-level, bash/fixed): Remove.
Diffstat (limited to 'gnu/packages/bash.scm')
-rw-r--r--gnu/packages/bash.scm41
1 files changed, 1 insertions, 40 deletions
diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm
index ec9f83519f..910da0b197 100644
--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@@ -65,7 +65,7 @@
(4 "1cy8abf96hkrjhw921ndr0shlcnc52bg45rn6xri4v5clhq0l25d")
(5 "0a8515kyk4zsgmvlqvlganjfr7pq0j6kzpr4d6xx02kpbdr4n7i2")
(6 "1f24wgqngmj2mrj9yibwvc2zvlmn5xi53mnw777g3l40c4m2x3ka")
- (7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")
+ (7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y") ;CVE-2017-5932
(8 "1firw915mjm03hbbw9a70ch3cpgrgnvqjpllgdnn6csr8q04f546")
(9 "0g1l56kvw61rpw7dqa9fcl9llkl693h73g631hrhxlm030ddssqb")
(10 "01lfhrkdsdkdz8ypzapr614ras23x7ckjnr60aa5bzkaqprccrc4")
@@ -110,7 +110,6 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
(version "4.4"))
(package
(name "bash")
- (replacement bash/fixed)
(source (origin
(method url-fetch)
(uri (string-append
@@ -204,7 +203,6 @@ without modification.")
;; A stripped-down Bash for non-interactive use.
(package (inherit bash)
(name "bash-minimal")
- (replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion
(inputs '()) ; no readline, no curses
;; No "include" output because there's no support for loadable modules.
@@ -260,43 +258,6 @@ without modification.")
(delete-file-recursively (string-append out "/share"))
#t))))))))))
-(define* (url-fetch/reset-patch-level url hash-algo hash
- #:optional name
- #:key (system (%current-system)) guile)
- "Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it
-can apply to a patch-level 0 Bash."
- (mlet* %store-monad ((name -> (or name (basename url)))
- (patch (url-fetch url hash-algo hash
- (string-append name ".orig")
- #:system system
- #:guile guile)))
- (gexp->derivation name
- (with-imported-modules '((guix build utils))
- #~(begin
- (use-modules (guix build utils))
- (copy-file #$patch #$output)
- (substitute* #$output
- (("PATCHLEVEL [0-6]+")
- "PATCHLEVEL 0"))))
- #:guile-for-build guile
- #:system system)))
-
-(define bash/fixed ;CVE-2017-5932 (RCE with completion)
- (package
- (inherit bash)
- (version "4.4.A") ;4.4.0 + patch #7
- (replacement #f)
- (source
- (origin
- (inherit (package-source bash))
- (patches (cons (origin
- (method url-fetch/reset-patch-level)
- (uri (patch-url 7))
- (sha256
- (base32
- "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")))
- (origin-patches (package-source bash))))))))
-
(define-public bash-completion
(package
(name "bash-completion")