Skip to content
Snippets Groups Projects
Commit 969774c9 authored by Luis Guzmán's avatar Luis Guzmán
Browse files

guix: upgrade version from FTBFS + add missing CVE-2024-27297 fix via helper.

parent 47e7a17a
Branches nabia
No related tags found
No related merge requests found
From 4a67c00ad02fbe7a7f5796c4c4dc2c0ad70f0472 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@debian.org>
Date: Tue, 12 Mar 2024 09:18:23 -0700
Subject: [PATCH] debian/patches: guix-daemon: Protect against file descriptor
escape when building fixed-output derivations (CVE-2024-27297). (Closes:
#1066113)
---
...gainst-FD-escape-when-building-fixed.patch | 232 ++++++++++++++++++
...hortcoming-in-previous-security-fix-.patch | 106 ++++++++
debian/patches/series | 2 +
3 files changed, 340 insertions(+)
create mode 100644 debian/patches/security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch
create mode 100644 debian/patches/security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch
diff --git a/debian/patches/security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch b/debian/patches/security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch
new file mode 100644
index 0000000000..e6e02cf206
--- /dev/null
+++ b/debian/patches/security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch
@@ -0,0 +1,232 @@
+From 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
+Date: Mon, 11 Mar 2024 10:59:42 +0100
+Subject: [PATCH 01/36] daemon: Protect against FD escape when building
+ fixed-output derivations (CVE-2024-27297).
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes a security issue (CVE-2024-27297) whereby a fixed-output
+derivation build process could open a writable file descriptor to its
+output, send it to some outside process for instance over an abstract
+AF_UNIX socket, which would then allow said process to modify the file
+in the store after it has been marked as “valid”.
+
+Vulnerability discovered by puck <https://github.com/puckipedia>.
+
+Nix security advisory:
+https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
+
+Nix fix:
+https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9
+
+* nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and
+a file descriptor. Rewrite the ‘Path’ variant accordingly.
+(copyFile, copyFileRecursively): New functions.
+* nix/libutil/util.hh (copyFileRecursively): New declaration.
+* nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’
+is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output.
+
+Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4
+
+Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
+Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88
+---
+ nix/libstore/build.cc | 16 ++++++
+ nix/libutil/util.cc | 112 ++++++++++++++++++++++++++++++++++++++++--
+ nix/libutil/util.hh | 6 +++
+ 3 files changed, 129 insertions(+), 5 deletions(-)
+
+diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
+index 461fcbc584..e2adee118b 100644
+--- a/nix/libstore/build.cc
++++ b/nix/libstore/build.cc
+@@ -1382,6 +1382,22 @@ void DerivationGoal::buildDone()
+ % drvPath % statusToString(status));
+ }
+
++ if (fixedOutput) {
++ /* Replace the output, if it exists, by a fresh copy of itself to
++ make sure that there's no stale file descriptor pointing to it
++ (CVE-2024-27297). */
++ foreach (DerivationOutputs::iterator, i, drv.outputs) {
++ if (pathExists(i->second.path)) {
++ Path pivot = i->second.path + ".tmp";
++ copyFileRecursively(i->second.path, pivot, true);
++ int err = rename(pivot.c_str(), i->second.path.c_str());
++ if (err != 0)
++ throw SysError(format("renaming `%1%' to `%2%'")
++ % pivot % i->second.path);
++ }
++ }
++ }
++
+ /* Compute the FS closure of the outputs and register them as
+ being valid. */
+ registerOutputs();
+diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc
+index 82eac72120..493f06f357 100644
+--- a/nix/libutil/util.cc
++++ b/nix/libutil/util.cc
+@@ -215,14 +215,11 @@ bool isLink(const Path & path)
+ }
+
+
+-DirEntries readDirectory(const Path & path)
++static DirEntries readDirectory(DIR *dir)
+ {
+ DirEntries entries;
+ entries.reserve(64);
+
+- AutoCloseDir dir = opendir(path.c_str());
+- if (!dir) throw SysError(format("opening directory `%1%'") % path);
+-
+ struct dirent * dirent;
+ while (errno = 0, dirent = readdir(dir)) { /* sic */
+ checkInterrupt();
+@@ -230,11 +227,29 @@ DirEntries readDirectory(const Path & path)
+ if (name == "." || name == "..") continue;
+ entries.emplace_back(name, dirent->d_ino, dirent->d_type);
+ }
+- if (errno) throw SysError(format("reading directory `%1%'") % path);
++ if (errno) throw SysError(format("reading directory"));
+
+ return entries;
+ }
+
++DirEntries readDirectory(const Path & path)
++{
++ AutoCloseDir dir = opendir(path.c_str());
++ if (!dir) throw SysError(format("opening directory `%1%'") % path);
++ return readDirectory(dir);
++}
++
++static DirEntries readDirectory(int fd)
++{
++ /* Since 'closedir' closes the underlying file descriptor, duplicate FD
++ beforehand. */
++ int fdcopy = dup(fd);
++ if (fdcopy < 0) throw SysError("dup");
++
++ AutoCloseDir dir = fdopendir(fdcopy);
++ if (!dir) throw SysError(format("opening directory from file descriptor `%1%'") % fd);
++ return readDirectory(dir);
++}
+
+ unsigned char getFileType(const Path & path)
+ {
+@@ -364,6 +379,93 @@ void deletePath(const Path & path, unsigned long long & bytesFreed, size_t linkT
+ _deletePath(path, bytesFreed, linkThreshold);
+ }
+
++static void copyFile(int sourceFd, int destinationFd)
++{
++ struct stat st;
++ if (fstat(sourceFd, &st) == -1) throw SysError("statting file");
++
++ ssize_t result = copy_file_range(sourceFd, NULL, destinationFd, NULL, st.st_size, 0);
++ if (result < 0 && errno == ENOSYS) {
++ for (size_t remaining = st.st_size; remaining > 0; ) {
++ unsigned char buf[8192];
++ size_t count = std::min(remaining, sizeof buf);
++
++ readFull(sourceFd, buf, count);
++ writeFull(destinationFd, buf, count);
++ remaining -= count;
++ }
++ } else {
++ if (result < 0)
++ throw SysError(format("copy_file_range `%1%' to `%2%'") % sourceFd % destinationFd);
++ if (result < st.st_size)
++ throw SysError(format("short write in copy_file_range `%1%' to `%2%'")
++ % sourceFd % destinationFd);
++ }
++}
++
++static void copyFileRecursively(int sourceroot, const Path &source,
++ int destinationroot, const Path &destination,
++ bool deleteSource)
++{
++ struct stat st;
++ if (fstatat(sourceroot, source.c_str(), &st, AT_SYMLINK_NOFOLLOW) == -1)
++ throw SysError(format("statting file `%1%'") % source);
++
++ if (S_ISREG(st.st_mode)) {
++ AutoCloseFD sourceFd = openat(sourceroot, source.c_str(),
++ O_CLOEXEC | O_NOFOLLOW | O_RDONLY);
++ if (sourceFd == -1) throw SysError(format("opening `%1%'") % source);
++
++ AutoCloseFD destinationFd = openat(destinationroot, destination.c_str(),
++ O_CLOEXEC | O_CREAT | O_WRONLY | O_TRUNC,
++ st.st_mode);
++ if (destinationFd == -1) throw SysError(format("opening `%1%'") % source);
++
++ copyFile(sourceFd, destinationFd);
++ } else if (S_ISLNK(st.st_mode)) {
++ char target[st.st_size + 1];
++ ssize_t result = readlinkat(sourceroot, source.c_str(), target, st.st_size);
++ if (result != st.st_size) throw SysError("reading symlink target");
++ target[st.st_size] = '\0';
++ int err = symlinkat(target, destinationroot, destination.c_str());
++ if (err != 0)
++ throw SysError(format("creating symlink `%1%'") % destination);
++ } else if (S_ISDIR(st.st_mode)) {
++ int err = mkdirat(destinationroot, destination.c_str(), 0755);
++ if (err != 0)
++ throw SysError(format("creating directory `%1%'") % destination);
++
++ AutoCloseFD destinationFd = openat(destinationroot, destination.c_str(),
++ O_CLOEXEC | O_RDONLY | O_DIRECTORY);
++ if (err != 0)
++ throw SysError(format("opening directory `%1%'") % destination);
++
++ AutoCloseFD sourceFd = openat(sourceroot, source.c_str(),
++ O_CLOEXEC | O_NOFOLLOW | O_RDONLY);
++ if (sourceFd == -1)
++ throw SysError(format("opening `%1%'") % source);
++
++ if (deleteSource && !(st.st_mode & S_IWUSR)) {
++ /* Ensure the directory writable so files within it can be
++ deleted. */
++ if (fchmod(sourceFd, st.st_mode | S_IWUSR) == -1)
++ throw SysError(format("making `%1%' directory writable") % source);
++ }
++
++ for (auto & i : readDirectory(sourceFd))
++ copyFileRecursively((int)sourceFd, i.name, (int)destinationFd, i.name,
++ deleteSource);
++ } else throw Error(format("refusing to copy irregular file `%1%'") % source);
++
++ if (deleteSource)
++ unlinkat(sourceroot, source.c_str(),
++ S_ISDIR(st.st_mode) ? AT_REMOVEDIR : 0);
++}
++
++void copyFileRecursively(const Path &source, const Path &destination, bool deleteSource)
++{
++ copyFileRecursively(AT_FDCWD, source, AT_FDCWD, destination, deleteSource);
++}
+
+ static Path tempName(Path tmpRoot, const Path & prefix, bool includePid,
+ int & counter)
+diff --git a/nix/libutil/util.hh b/nix/libutil/util.hh
+index 880b0e93b2..058f5f8446 100644
+--- a/nix/libutil/util.hh
++++ b/nix/libutil/util.hh
+@@ -102,6 +102,12 @@ void deletePath(const Path & path);
+ void deletePath(const Path & path, unsigned long long & bytesFreed,
+ size_t linkThreshold = 1);
+
++/* Copy SOURCE to DESTINATION, recursively. Throw if SOURCE contains a file
++ that is not a regular file, symlink, or directory. When DELETESOURCE is
++ true, delete source files once they have been copied. */
++void copyFileRecursively(const Path &source, const Path &destination,
++ bool deleteSource = false);
++
+ /* Create a temporary directory. */
+ Path createTempDir(const Path & tmpRoot = "", const Path & prefix = "nix",
+ bool includePid = true, bool useGlobalCounter = true, mode_t mode = 0755);
+--
+2.39.2
+
diff --git a/debian/patches/security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch b/debian/patches/security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch
new file mode 100644
index 0000000000..0d0b6bd22f
--- /dev/null
+++ b/debian/patches/security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch
@@ -0,0 +1,106 @@
+From ff1251de0bc327ec478fc66a562430fbf35aef42 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
+Date: Tue, 12 Mar 2024 11:53:35 +0100
+Subject: [PATCH 32/36] daemon: Address shortcoming in previous security fix
+ for CVE-2024-27297.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143.
+
+Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two
+ways: (1) it didn’t have any effet for fixed-output derivations
+performed in a chroot, which is the case for all of them except those
+using “builtin:download” and “builtin:git-download”, and (2) it did not
+preserve ownership when copying, leading to “suspicious ownership or
+permission […] rejecting this build output” errors.
+
+* nix/libstore/build.cc (DerivationGoal::buildDone): Account for
+‘chrootRootDir’ when copying ‘drv.outputs’.
+* nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’
+calls to preserve file ownership; this is necessary for chrooted
+fixed-output derivation builds.
+* nix/libutil/util.hh: Update comment.
+
+Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156
+---
+ nix/libstore/build.cc | 11 ++++++-----
+ nix/libutil/util.cc | 4 ++++
+ nix/libutil/util.hh | 7 ++++---
+ 3 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
+index e2adee118b..d23c0944a4 100644
+--- a/nix/libstore/build.cc
++++ b/nix/libstore/build.cc
+@@ -1387,13 +1387,14 @@ void DerivationGoal::buildDone()
+ make sure that there's no stale file descriptor pointing to it
+ (CVE-2024-27297). */
+ foreach (DerivationOutputs::iterator, i, drv.outputs) {
+- if (pathExists(i->second.path)) {
+- Path pivot = i->second.path + ".tmp";
+- copyFileRecursively(i->second.path, pivot, true);
+- int err = rename(pivot.c_str(), i->second.path.c_str());
++ Path output = chrootRootDir + i->second.path;
++ if (pathExists(output)) {
++ Path pivot = output + ".tmp";
++ copyFileRecursively(output, pivot, true);
++ int err = rename(pivot.c_str(), output.c_str());
+ if (err != 0)
+ throw SysError(format("renaming `%1%' to `%2%'")
+- % pivot % i->second.path);
++ % pivot % output);
+ }
+ }
+ }
+diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc
+index 493f06f357..578d657293 100644
+--- a/nix/libutil/util.cc
++++ b/nix/libutil/util.cc
+@@ -422,6 +422,7 @@ static void copyFileRecursively(int sourceroot, const Path &source,
+ if (destinationFd == -1) throw SysError(format("opening `%1%'") % source);
+
+ copyFile(sourceFd, destinationFd);
++ fchown(destinationFd, st.st_uid, st.st_gid);
+ } else if (S_ISLNK(st.st_mode)) {
+ char target[st.st_size + 1];
+ ssize_t result = readlinkat(sourceroot, source.c_str(), target, st.st_size);
+@@ -430,6 +431,8 @@ static void copyFileRecursively(int sourceroot, const Path &source,
+ int err = symlinkat(target, destinationroot, destination.c_str());
+ if (err != 0)
+ throw SysError(format("creating symlink `%1%'") % destination);
++ fchownat(destinationroot, destination.c_str(),
++ st.st_uid, st.st_gid, AT_SYMLINK_NOFOLLOW);
+ } else if (S_ISDIR(st.st_mode)) {
+ int err = mkdirat(destinationroot, destination.c_str(), 0755);
+ if (err != 0)
+@@ -455,6 +458,7 @@ static void copyFileRecursively(int sourceroot, const Path &source,
+ for (auto & i : readDirectory(sourceFd))
+ copyFileRecursively((int)sourceFd, i.name, (int)destinationFd, i.name,
+ deleteSource);
++ fchown(destinationFd, st.st_uid, st.st_gid);
+ } else throw Error(format("refusing to copy irregular file `%1%'") % source);
+
+ if (deleteSource)
+diff --git a/nix/libutil/util.hh b/nix/libutil/util.hh
+index 058f5f8446..377aac0684 100644
+--- a/nix/libutil/util.hh
++++ b/nix/libutil/util.hh
+@@ -102,9 +102,10 @@ void deletePath(const Path & path);
+ void deletePath(const Path & path, unsigned long long & bytesFreed,
+ size_t linkThreshold = 1);
+
+-/* Copy SOURCE to DESTINATION, recursively. Throw if SOURCE contains a file
+- that is not a regular file, symlink, or directory. When DELETESOURCE is
+- true, delete source files once they have been copied. */
++/* Copy SOURCE to DESTINATION, recursively, preserving ownership. Throw if
++ SOURCE contains a file that is not a regular file, symlink, or directory.
++ When DELETESOURCE is true, delete source files once they have been
++ copied. */
+ void copyFileRecursively(const Path &source, const Path &destination,
+ bool deleteSource = false);
+
+--
+2.39.2
+
diff --git a/debian/patches/series b/debian/patches/series_
index 5d506e57..0b8879d1 100644
--- a/debian/patches/series
+++ b/debian/patches/series_
@@ -40,3 +40,5 @@ lsb-init-functions
guix-daemon-openrc-fixes
tests-Ensure-test-OpenPGP-keys-never-expire.patch
use-c-utf8-locale
+security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch
+security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch
--
GitLab
diff --git a/debian/control b/debian/control
index f5080c40..24f545ae 100644
--- a/debian/control
+++ b/debian/control
@@ -44,7 +44,9 @@ Depends: ${misc:Depends}, ${shlibs:Depends},
guile-sqlite3 (>= 0.1.3-2~),
guile-zlib (>= 0.1.0),
libssh-dev,
-Recommends: nscd,
+Recommends: ca-certificates,
+ less,
+ nscd,
systemd,
Description: GNU Guix functional package manager
Guix is an advanced distribution of the GNU operating system
diff --git a/debian/patches/series b/debian/patches/series
index 2151eca4..5d506e57 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -38,3 +38,5 @@ lsb-init-functions
0030-Disable-gexp-derivation-allowed-references-test-when.patch
0031-Disable-substitue-deduplication-test-when-network-is.patch
guix-daemon-openrc-fixes
+tests-Ensure-test-OpenPGP-keys-never-expire.patch
+use-c-utf8-locale
diff --git a/guix/debian/patches/tests-Ensure-test-OpenPGP-keys-never-expire.patch b/debian/patches/tests-Ensure-test-OpenPGP-keys-never-expire.patch
new file mode 100644
index 00000000..3d23bd95
--- /dev/null
+++ b/debian/patches/tests-Ensure-test-OpenPGP-keys-never-expire.patch
@@ -0,0 +1,62 @@
+From 3ae7632ca0a1edca9d8c3c766efb0dcc8aa5da37 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
+Date: Wed, 18 May 2022 23:20:21 +0200
+Subject: [PATCH] tests: Ensure test OpenPGP keys never expire.
+
+All these keys had expiration dates. 'tests/keys/ed25519.pub' expired
+on 2022-04-24.
+
+Fixes <https://issues.guix.gnu.org/55506>.
+
+* tests/keys/ed25519.pub, tests/keys/ed25519-2.pub,
+tests/keys/ed25519-3.pub: Remove expiration date.
+---
+ tests/keys/ed25519-2.pub | 11 +++++------
+ tests/keys/ed25519-3.pub | 10 +++++-----
+ tests/keys/ed25519.pub | 10 +++++-----
+ 3 files changed, 15 insertions(+), 16 deletions(-)
+
+Adjusted to apply to older locations present in 1.3.0.
+
+diff --git a/tests/ed25519bis.key b/tests/ed25519bis.key
+index f5329105d5..ef050e3845 100644
+--- a/tests/ed25519bis.key
++++ b/tests/ed25519bis.key
+@@ -1,10 +1,9 @@
+ -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+ mDMEXtVsNhYJKwYBBAHaRw8BAQdAnLsYdh3BpeK1xDguJE80XW2/MSmqeeP6pbQw
+-8jAw0OG0IkNoYXJsaWUgR3VpeCA8Y2hhcmxpZUBleGFtcGxlLm9yZz6IlgQTFggA
+-PhYhBKBDaY1jer75FlruS4IkDtyrgNqDBQJe1Ww2AhsDBQkDwmcABQsJCAcCBhUK
+-CQgLAgQWAgMBAh4BAheAAAoJEIIkDtyrgNqDM6cA/idDdoxo9SU+witdTXt24APH
+-yRzHbX9Iyh4dZNIek9JwAP9E0BwSvDHB4LY9z4RWf2hJp3dm/yZ/jEpK+w4BGN4J
+-Ag==
+-=JIU0
++8jAw0OG0IkNoYXJsaWUgR3VpeCA8Y2hhcmxpZUBleGFtcGxlLm9yZz6IkAQTFggA
++OAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBKBDaY1jer75FlruS4IkDtyr
++gNqDBQJihWJtAAoJEIIkDtyrgNqDbs0BAPOaGSYf3pX3DReEe1zbxxVQrolX9/AZ
++VP0AOt0TAgkzAP0Sr7G1NuCtjWWGK1WmlyTFPhOWLhNriKgZFkBZrGypAw==
++=pdTB
+ -----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/ed25519.key b/tests/ed25519.key
+index f6bf906783..5a2fccc9f9 100644
+--- a/tests/ed25519.key
++++ b/tests/ed25519.key
+@@ -2,9 +2,9 @@
+
+ mDMEXqNaoBYJKwYBBAHaRw8BAQdArviKtelb4g0I3zx9xyDS40Oz8i1/LRXqppG6
+ b23Hdim0KEVkIFR3by1GaWZ0eSA8bHVkbyt0ZXN0LWVjY0BjaGJvdWliLm9yZz6I
+-lgQTFggAPhYhBETTHiGvcTj5tjIoCncfScv6rgctBQJeo1qgAhsDBQkDwmcABQsJ
+-CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEHcfScv6rgctq4MA/1R9G0roEwrHwmTd
+-DHxt211eLqupwXE0Z7xY2FH6DHk9AP4owEefBU7jQprSAzBS+c6gdS3SCCKKqAh6
+-ToZ4LmbKAw==
+-=FXMK
++kAQTFggAOAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBETTHiGvcTj5tjIo
++CncfScv6rgctBQJihWH6AAoJEHcfScv6rgctfPMBAPv+yPmEgM+J6D1nZjXsO4zW
+++4e3y2Ez+QxgI2tn8Z2xAQDBUWyyu0X+8dguGmVlsaiQdkazaUSpexvIhh9zONYw
++Bg==
++=s4Vp
+ -----END PGP PUBLIC KEY BLOCK-----
+--
+2.30.2
+
diff --git a/guix/debian/patches/use-c-utf8-locale b/debian/patches/use-c-utf8-locale
new file mode 100644
index 00000000..6f69c0fa
--- /dev/null
+++ b/debian/patches/use-c-utf8-locale
@@ -0,0 +1,58 @@
+Use the C.UTF-8 locale for guix-daemon and guix-publish.
+
+https://bugs.debian.org/1012536
+
+Index: guix/etc/guix-daemon.service.in
+===================================================================
+--- guix.orig/etc/guix-daemon.service.in
++++ guix/etc/guix-daemon.service.in
+@@ -7,7 +7,7 @@ Description=Build daemon for GNU Guix
+
+ [Service]
+ ExecStart=/usr/bin/guix-daemon --build-users-group=_guixbuild
+-Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8
++Environment=LC_ALL=C.UTF-8
+ RemainAfterExit=yes
+ StandardOutput=syslog
+ StandardError=syslog
+Index: guix/etc/init.d/guix-daemon.in
+===================================================================
+--- guix.orig/etc/init.d/guix-daemon.in
++++ guix/etc/init.d/guix-daemon.in
+@@ -35,8 +35,7 @@ start)
+ -a \
+ -e "/var/log/guix-daemon-stderr.log" \
+ -o "/var/log/guix-daemon-stdout.log" \
+- -E GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale \
+- -E LC_ALL=en_US.utf8 \
++ -E LC_ALL=C.UTF-8 \
+ -p "/var/run/guix-daemon.pid" \
+ /usr/bin/guix-daemon \
+ --build-users-group=_guixbuild
+Index: guix/etc/openrc/guix-daemon.in
+===================================================================
+--- guix.orig/etc/openrc/guix-daemon.in
++++ guix/etc/openrc/guix-daemon.in
+@@ -17,8 +17,7 @@
+ # You should have received a copy of the GNU General Public License
+ # along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+-export GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale
+-export LC_ALL=en_US.utf8
++export LC_ALL=C.UTF-8
+ command="/usr/bin/guix-daemon"
+ command_args="--build-users-group=_guixbuild"
+ command_background="yes"
+Index: guix/etc/guix-publish.service.in
+===================================================================
+--- guix.orig/etc/guix-publish.service.in
++++ guix/etc/guix-publish.service.in
+@@ -10,7 +10,7 @@ After=guix-daemon.service
+
+ [Service]
+ ExecStart=/usr/bin/guix publish --user=nobody --port=8181
+-Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8
++Environment=LC_ALL=C.UTF-8
+ RemainAfterExit=yes
+ StandardOutput=syslog
+ StandardError=syslog
#!/bin/sh
#
# Copyright (C) 2024 Luis Guzmán <ark@switnet.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
VERSION=0
. ./config
export FULLVERSION="$(sed 's|1.3.0-4|1.3.0-4+really1.3.0-5|' <<< $FULLVERSION)"
# Upgrade 1.3.0-4 to 1.3.0-5
patch_p1 $DATA/guix-1.3.0.4-to-1.3.0-5.patch
# Apply missing CVEs upstream:
## 1.CVE-2024-27297
for patch in $(ls -v ${DATA}/cve/*.patch)
do
patch_p1 $patch
done
# TODO: Confirm fix for nix package.
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066812
changelog "Upgrade to 1.3.0-5 and apply missing CVE-2024-27297 upstream patch."
package
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment