bug#29232: [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}.

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#29232: [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}.

From:	Leo Famulari
Subject:	bug#29232: [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}.
Date:	Fri, 10 Nov 2017 12:17:38 -0500
User-agent:	Mutt/1.9.1 (2017-09-22)

On Thu, Nov 09, 2017 at 11:51:48PM +0100, Ludovic Courtès wrote:
> Hello,
> 
> Leo Famulari <address@hidden> skribis:
> 
> > What do you think of fetching the patches like this, instead of copying
> > them into the Guix source tree?
> 
> I think it’s OK.  If the Gitweb instance disappears, or if it changes
> somehow, hopefully the patch itself will still have the same hash, so we
> can always change to different URL or a local file.
> 
> > * gnu/packages/virtualization.scm (qemu-patch): Use HTTPS.
> > (qemu)[source]: Use qemu-patch.
> 
> […]
> 
> > +            (qemu-patch "7bd92756303f2158a68d5166264dc30139b813b6"
> > +                        "qemu-CVE-2017-15038.patch"
> > +                        (base32
> > +                         
> > "0wpgf8ivjdbaihf2l7720h1fydh7kdl36wj2nchjd9irfkhw399q"))
> > +            (qemu-patch "a7b20a8efa28e5f22c26c06cd06c2f12bc863493"
> > +                        "qemu-CVE-2017-15268.patch"
> > +                        (base32
> > +                         
> > "1adhwj91pmgbmdvyrkvslbfsyz7l00xdrr6vzps6s58q5idvdp79"))
> > +            (qemu-patch "eb38e1bc3740725ca29a535351de94107ec58d51"
> > +                        "qemu-CVE-2017-15289.patch"
> > +                        (base32
> > +                         
> > "1zshrlzbwgwrsnimbq8kqr7injd65ncsr8a4lrmgyfv185ma4z8d"))))
> 
> I trust these commits correspond to these CVEs.

Okay, I pushed adf7e69cab6180ef75360a1c0731c93f4bff2b18, which uses good
ol' annotated patch files instead.

Fetching the patches like this is too opaque. There's no *easy* way to
view the patches or figure out where they came from. The upstream
commits don't mention the CVE ID, and every interested person has to
re-do the work of corrolating the patch with the ID'd bug.

In practice, I think this extra works means that nobody will ever review
the patches or check that they correspond to a particular bug. Making
that easy is worth the extra bytes in our source tree.

Also I'm not confident that it will be easy to find bit-reproducible
patches in the future, whereas I think it will be easy to find the QEMU
tarballs and the patches from our Git repo.

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#29232] [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}., Leo Famulari, 2017/11/09
- [bug#29232] [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}., Ludovic Courtès, 2017/11/09
  - bug#29232: [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}., Leo Famulari <=
    - [bug#29232] [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}., Ludovic Courtès, 2017/11/10

Prev by Date: bug#29079: [PATCH] gnu: Add hunspell-en-US.
Next by Date: [bug#29251] [PATCH] gnu: gnutls: Don't allow a reference to net-tools.
Previous by thread: [bug#29232] [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}.
Next by thread: [bug#29232] [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}.
Index(es):
- Date
- Thread