#47144 security patching of 'patch' package

Message #95 received at 47144@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47144) by debbugs.gnu.org; 6 Jun 2024 00:56:08 +0000
From debbugs-submit-bounces@debbugs.gnu.org Wed Jun 05 20:56:08 2024
Received: from localhost ([127.0.0.1]:52472 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1sF1QF-0003zu-G8
	for submit@debbugs.gnu.org; Wed, 05 Jun 2024 20:56:08 -0400
Received: from mail-qt1-f173.google.com ([209.85.160.173]:53397)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1sF1QC-0003z6-Pf
 for 47144@debbugs.gnu.org; Wed, 05 Jun 2024 20:56:06 -0400
Received: by mail-qt1-f173.google.com with SMTP id
 d75a77b69052e-44028fc3d22so1475501cf.2
 for <47144@debbugs.gnu.org>; Wed, 05 Jun 2024 17:55:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1717635284; x=1718240084; darn=debbugs.gnu.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=Pk8ZklKWjqc61fOHxOdGL+G67JvDaCfDZtYXTK4D5Fc=;
 b=TL9D7gXAMnBRhhL2Kru1Onk42ZCMEG71xP+ecjN/qjhFzJKObQXaPdcXZTP+Y2FP1K
 ib4kTZaVCoWsa8Y1TA8EagmMZe3QFiUVGPkw/wdZUME5PjKr40X/zNLsxT6Z48uErlbl
 em1QSZh909UBRCbGwXUTLlHNWXqgWhAFXbqqOvzW6tfnXOH1WpMabS5P0ykuxQK/iZBh
 cIbVNHXrcow2OVBdgUMcnSNcr8134PwJxyZXRRenvaso4NgK+itR7eZal3Z91zB1E0Vr
 7cClde93Nt4dJy7Q3ULZXvT32BsvF5mUqZ7R8Gb6uOlxfrAKqsPtgZ/wVABByTXdp2xZ
 Y7Nw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1717635284; x=1718240084;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=Pk8ZklKWjqc61fOHxOdGL+G67JvDaCfDZtYXTK4D5Fc=;
 b=M5T4Y6vlHNsPjGh2oxU9xmPrLmqNO3cYpcqMUU8DsXAFLeoH29S6+ERWop4yhg6Ukt
 prb0OyCaJih9AkpUezs4f9p/0tqcfcYZOQxOwJ8lraENoi1abOE5o065E6I1Up5lftFA
 2u5Gg2n5z2qmvP6qBrxoyDedFH0mTnIOfRojPnE+bFfEXcvTGZcfs1h1+PnCcInCOh98
 I/WHUx0Ed2ALKimsohVCV/Feb/WnOyF2pEk5o7W8HlZDzmqoqMHPII6CC1Mm5DxFOeI+
 EGZht2F47cqzh3mqPCFj30G9FgIya9CJsRlrGRXSNhmXrUBo/0BJwIiR3n9j7bXAyWZr
 eFpQ==
X-Gm-Message-State: AOJu0YwS0vGjMSjfeQM9N7P2Jf86PzQzHjVIOcCyPZLZ/VntrSn4hVDu
 o2N4Cj2VbtPWmUoH4P+FwUjvbgW6d5oaqgaUf6l+u+CHuwcFA21y9yx79+gW
X-Google-Smtp-Source: AGHT+IFKYlTCLT/Yxly3CNZh3Z17P5dwdD4WPla8cOHN8pSFXGR8hyZcaDFioBQ2L1odKK5xUXkq1g==
X-Received: by 2002:a05:620a:c44:b0:792:9662:9473 with SMTP id
 af79cd13be357-79523d3f3d8mr483324885a.14.1717634799008; 
 Wed, 05 Jun 2024 17:46:39 -0700 (PDT)
Received: from localhost.localdomain (dsl-10-133-150.b2b2c.ca. [72.10.133.150])
 by smtp.gmail.com with ESMTPSA id
 af79cd13be357-795332df9b0sm8751085a.126.2024.06.05.17.46.38
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 05 Jun 2024 17:46:38 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: 47144@debbugs.gnu.org
Subject: [PATCH v4 3/3] gnu: patch: Update to latest commit [security fixes].
Date: Wed,  5 Jun 2024 20:46:21 -0400
Message-ID: <7663177c58ca72f54b6c715561701952b35910ec.1717634752.git.maxim.cournoyer@gmail.com>
X-Mailer: git-send-email 2.45.1
In-Reply-To: <a3641c8501b839cb4490edca279bf15a8141b8ea.1717634752.git.maxim.cournoyer@gmail.com>
References: <a3641c8501b839cb4490edca279bf15a8141b8ea.1717634752.git.maxim.cournoyer@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-Debbugs-Cc: Mark H Weaver <mhw@netris.org>, Ludovic Courtès <ludo@gnu.org>, Léo Le Bouter <lle-bout@zaclys.net>, Leo Famulari <leo@famulari.name>, Maxim Cournoyer <maxim.cournoyer@gmail.com>, Simon Tournier <zimon.toutoune@gmail.com>, Christopher Baines <guix@cbaines.net>, Efraim Flashner <efraim@flashner.co.il>, Ekaitz Zarraga <ekaitz@elenq.tech>, Guillaume Le Vaillant <glv@posteo.net>, Josselin Poiret <dev@jpoiret.xyz>, Katherine Cox-Buday <cox.katherine.e+guix@gmail.com>, Mathieu Othacehe <othacehe@gnu.org>, Munyoki Kilyungi <me@bonfacemunyoki.com>, Ricardo Wurmus <rekado@elephly.net>, Sharlatan Hellseher <sharlatanus@gmail.com>, Tobias Geerinckx-Rice <me@tobias.gr>, jgart <jgart@dismail.de>
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47144
Cc: Mark H Weaver <mhw@netris.org>, Maxim Cournoyer <maxim.cournoyer@gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* gnu/packages/base.scm (patch): Rename to...
(patch/pinned): ... this.  Hide package.
(patch): New variable.
* gnu/packages/commencement.scm (patch-mesboot): Inherit from patch/pinned.
(patch-boot0): Likewise.
(%final-inputs): Replace patch with patch/pinned.
* gnu/packages/lisp.scm (cl-asdf): Likewise.
* guix/packages.scm (%standard-patch-inputs): Replace patch with patch/pinned.

Fixes: https://issues.guix.gnu.org/47144
Reported-by: Mark H Weaver <mhw@netris.org>
Change-Id: I54ae41b735f5ba0ebad30ebdfaabe0ccdc3f9873
---

Changes in v4:
 - Use a hidden patch/pinned and patch variables instead of a graft

Changes in v3:
 - Do not use inheritance for patch/fixed origin

Changes in v2:
 - Use same version to have the same store length, a graft requirement
 - Copy the gnulib source in a phase to avoid introducing a dependency cycle

 gnu/packages/base.scm         | 102 +++++++++++++++++++++++++---------
 gnu/packages/commencement.scm |   8 +--
 gnu/packages/lisp.scm         |   2 +-
 guix/packages.scm             |   2 +-
 4 files changed, 82 insertions(+), 32 deletions(-)

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index bbe5b8cf57..66c5b7d237 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -19,7 +19,7 @@
 ;;; Copyright © 2021 Leo Le Bouter <lle-bout@zaclys.net>
 ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
 ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
-;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe>
 ;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com>
 ;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
@@ -46,8 +46,10 @@ (define-module (gnu packages base)
   #:use-module (gnu packages acl)
   #:use-module (gnu packages algebra)
   #:use-module (gnu packages attr)
+  #:use-module (gnu packages autotools)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages bison)
+  #:use-module (gnu packages build-tools)
   #:use-module (gnu packages gcc)
   #:use-module (gnu packages guile)
   #:use-module (gnu packages multiprecision)
@@ -261,35 +263,83 @@ (define-public tar
    (license gpl3+)
    (home-page "https://www.gnu.org/software/tar/")))
 
-(define-public patch
-  (package
-    (name "patch")
-    (version "2.7.6")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnu/patch/patch-"
-                                  version ".tar.xz"))
-              (sha256
-               (base32
-                "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
-              (patches (search-patches "patch-hurd-path-max.patch"))))
-    (build-system gnu-build-system)
-    (arguments
-     ;; Work around a cross-compilation bug whereby libpatch.a would provide
-     ;; '__mktime_internal', which conflicts with the one in libc.a.
-     (if (%current-target-system)
-         `(#:configure-flags '("gl_cv_func_working_mktime=yes"))
-         '()))
-    (native-inputs (list ed))
-    (synopsis "Apply differences to originals, with optional backups")
-    (description
-     "Patch is a program that applies changes to files based on differences
+;;; TODO: Replace/merge with 'patch' on core-updates.
+(define-public patch/pinned
+  (hidden-package
+   (package
+     (name "patch")
+     (version "2.7.6")
+     (source (origin
+               (method url-fetch)
+               (uri (string-append "mirror://gnu/patch/patch-"
+                                   version ".tar.xz"))
+               (sha256
+                (base32
+                 "1zfqy4rdcy279vwn2z1kbv19dcfw25d2aqy9nzvdkq5bjzd0nqdc"))
+               (patches (search-patches "patch-hurd-path-max.patch"))))
+     (build-system gnu-build-system)
+     (arguments
+      ;; Work around a cross-compilation bug whereby libpatch.a would provide
+      ;; '__mktime_internal', which conflicts with the one in libc.a.
+      (if (%current-target-system)
+          `(#:configure-flags '("gl_cv_func_working_mktime=yes"))
+          '()))
+     (native-inputs (list ed))
+     (synopsis "Apply differences to originals, with optional backups")
+     (description
+      "Patch is a program that applies changes to files based on differences
 laid out as by the program \"diff\".  The changes may be applied to one or more
 files depending on the contents of the diff file.  It accepts several
 different diff formats.  It may also be used to revert previously applied
 differences.")
-    (license gpl3+)
-    (home-page "https://savannah.gnu.org/projects/patch/")))
+     (license gpl3+)
+     (home-page "https://savannah.gnu.org/projects/patch/"))))
+
+(define-public patch
+  ;; The latest release is from 2018, and lacks multiple security related
+  ;; patches.  Since Fedora carries 23 patches, simply use the latest commit
+  ;; until a proper release is made.
+  (let ((revision "0")
+        (commit "f144b35425d9d7732ea5485034c1a6b7a106ab92")
+        (base patch/pinned))
+    (package
+      (inherit base)
+      (name "patch")
+      (version (git-version "2.7.6" revision commit))
+      (source (origin
+                (method git-fetch)
+                (uri (git-reference
+                      (url "https://git.savannah.gnu.org/git/patch.git")
+                      (commit commit)))
+                (file-name (git-file-name name version))
+                (sha256
+                 (base32
+                  "1bk38169c0xh01b0q0zmnrjqz8k9byz3arp4q7q66sn6xwf94nvz"))
+                (patches (search-patches "patch-hurd-path-max.patch"))))
+      (arguments
+       (substitute-keyword-arguments (package-arguments base)
+         ((#:phases phases '%standard-phases)
+          #~(modify-phases #$phases
+              (add-after 'unpack 'copy-gnulib-sources
+                (lambda _
+                  ;; XXX: We copy the source instead of using 'gnulib' as a
+                  ;; native input to avoid introducing a dependency cycle.
+                  (copy-recursively #+gnulib "gnulib")
+                  (setenv "GNULIB_SRCDIR"
+                          (string-append (getcwd) "/gnulib/src/gnulib"))))
+              (add-after 'copy-gnulib-sources 'update-bootstrap-script
+                (lambda _
+                  (copy-file "gnulib/src/gnulib/build-aux/bootstrap"
+                             "bootstrap")))
+              (add-after 'unpack 'patch-configure.ac
+                (lambda _
+                  (substitute* "configure.ac"
+                    ;; The gnulib-provided git-version-gen script has a plain
+                    ;; shebang of #!/bin/sh; avoid using it.
+                    (("build-aux/git-version-gen" all)
+                     (string-append "sh " all)))))))))
+      (native-inputs (list autoconf automake bison ed))
+      (properties '()))))
 
 (define-public diffutils
   (package
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index b4d236c35b..0433059493 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -878,7 +878,7 @@ (define tcc-boot
 (define patch-mesboot
   ;; The initial patch.
   (package
-    (inherit patch)
+    (inherit patch/pinned)
     (name "patch-mesboot")
     (version "2.5.9")
     (source (origin
@@ -2167,8 +2167,8 @@ (define gawk-boot0
 
 (define patch-boot0
   (package
-    (inherit patch)
-    (source (bootstrap-origin (package-source patch)))
+    (inherit patch/pinned)
+    (source (bootstrap-origin (package-source patch/pinned)))
     (name "patch-boot0")
     (native-inputs '())
     (inputs
@@ -3482,7 +3482,7 @@ (define-public %final-inputs
                    ("bzip2" ,bzip2)
                    ("file" ,file)
                    ("diffutils" ,diffutils)
-                   ("patch" ,patch)
+                   ("patch" ,patch/pinned)
                    ("findutils" ,findutils)
                    ("gawk" ,gawk)))
           ("sed" ,sed-final)
diff --git a/gnu/packages/lisp.scm b/gnu/packages/lisp.scm
index 6bf93d83c7..6f3bd126cc 100644
--- a/gnu/packages/lisp.scm
+++ b/gnu/packages/lisp.scm
@@ -121,7 +121,7 @@ (define-public cl-asdf
     (build-system trivial-build-system)
     (native-inputs
      `(("config-patch" ,@(search-patches "cl-asdf-config-directories.patch"))
-       ("patch" ,patch)))
+       ("patch" ,patch/pinned)))
     (arguments
      `(#:modules ((guix build utils)
                   (guix build lisp-utils))
diff --git a/guix/packages.scm b/guix/packages.scm
index abe89cdb07..f3a9a61785 100644
--- a/guix/packages.scm
+++ b/guix/packages.scm
@@ -899,7 +899,7 @@ (define (%standard-patch-inputs system)
       ("gzip"  ,(ref '(gnu packages compression) 'gzip))
       ("lzip"  ,(ref '(gnu packages compression) 'lzip))
       ("unzip" ,(ref '(gnu packages compression) 'unzip))
-      ("patch" ,(ref '(gnu packages base) 'patch))
+      ("patch" ,(ref '(gnu packages base) 'patch/pinned))
       ("locales"
        ,(parameterize ((%current-target-system #f)
                        (%current-system system))
-- 
2.45.1

Send a report that this bug log contains spam.