gnu: util-linux: Fix CVE-2021-3995 and CVE-2021-3996.

* gnu/packages/patches/util-linux-CVE-2021-3995.patch, gnu/packages/patches/util-linux-CVE-2021-3996.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/linux.scm (util-linux)[replacement]: New field. (util-linux/fixed): New variable.
2025-10-02 02:15:12 +00:00 · 2022-01-26 00:19:34 -05:00 · 2022-01-26 00:19:34 -05:00 · 16ce73d87f
commit 16ce73d87f
parent 7afed75764
4 changed files with 397 additions and 0 deletions
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@ -1820,6 +1820,7 @@ providing the system administrator with some help in common tasks.")
 (define-public util-linux
  (package
    (name "util-linux")
+    (replacement util-linux/fixed)
    (version "2.37.2")
    (source (origin
              (method url-fetch)
@ -1971,6 +1972,21 @@ block devices, UUIDs, TTYs, and many other tools.")
    `(("udev" ,eudev)
      ,@(package-inputs util-linux)))))

+;; This is mostly equivalent to the upstream release version v2.37.3, except
+;; that the upstream tarball was generated improperly, which breaks the build.
+;; There will not be a v2.37.3-fixed release or anything like that to fix it:
+;; https://github.com/util-linux/util-linux/issues/1577
+(define-public util-linux/fixed
+  (hidden-package
+    (package
+      (inherit util-linux)
+      (source (origin
+                (inherit (package-source util-linux))
+                (patches (append (search-patches "util-linux-CVE-2021-3995.patch"
+                                                 "util-linux-CVE-2021-3996.patch")
+                                 (origin-patches (package-source util-linux)))))))))
+
+
 (define-public ddate
  (package
    (name "ddate")