guix: fix build user takeover patch

The preceding fix only applies one of two patches, which breaks builds: error: getting attributes of path `/gnu/store/<item>': No such file or directory The Debian package maintainer, Vagrant Cascadian, is a frequent Guix committer, so the Debian package is a suitable upstream patch source when Guix commits require backporting to the current release tarball. Fixes: 633a3b8f19 ("guix: build user takeover patch")
2024-11-03 16:58:39 -06:00 · 2024-11-03 16:58:39 -06:00 · e3c99d6c50
commit e3c99d6c50
parent 7ffd9ae656
2 changed files with 13 additions and 44 deletions
--- a/pkgs/by-name/gu/guix/guix-build-user-takeover-fix.patch
+++ b/pkgs/by-name/gu/guix/guix-build-user-takeover-fix.patch
@ -1,42 +0,0 @@
-diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
-index c5383bc..50d1abc 100644
--- a/nix/libstore/build.cc
-+++ b/nix/libstore/build.cc
-@@ -2312,15 +2312,6 @@ void DerivationGoal::registerOutputs()
-         Path actualPath = path;
-         if (useChroot) {
-             actualPath = chrootRootDir + path;
-            if (pathExists(actualPath)) {
-                /* Move output paths from the chroot to the store. */
-                if (buildMode == bmRepair)
-                    replaceValidPath(path, actualPath);
-                else
-                    if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
-                        throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
-            }
-            if (buildMode != bmCheck) actualPath = path;
-         } else {
-             Path redirected = redirectedOutputs[path];
-             if (buildMode == bmRepair
-@@ -2360,6 +2351,21 @@ void DerivationGoal::registerOutputs()
-                something like that. */
-             canonicalisePathMetaData(actualPath, buildUser.enabled() ? buildUser.getUID() : -1, inodesSeen);
- 
-+            if (useChroot) {
-+                if (pathExists(actualPath)) {
-+                    /* Now that output paths have been canonicalized (in particular
-+                    there are no setuid files left), move them outside of the
-+                    chroot and to the store. */
-+                    if (buildMode == bmRepair)
-+                        replaceValidPath(path, actualPath);
-+                    else
-+                        if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
-+                            throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
-+                }
-+                if (buildMode != bmCheck) actualPath = path;
-+            }
-+
-+
-             /* FIXME: this is in-memory. */
-             StringSink sink;
-             dumpPath(actualPath, sink);
--- a/pkgs/by-name/gu/guix/package.nix
+++ b/pkgs/by-name/gu/guix/package.nix
@ -3,6 +3,7 @@
  stdenv,
  fetchurl,
  fetchpatch,
+  fetchDebianPatch,
  autoreconfHook,
  disarchive,
  git,
@ -57,9 +58,19 @@ stdenv.mkDerivation rec {
      url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=ff1251de0bc327ec478fc66a562430fbf35aef42";
      hash = "sha256-f4KWDVrvO/oI+4SCUHU5GandkGtHrlaM1BWygM/Qlao=";
    })
-    # manual port of build user takeover remediation commit
    # see https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability
-    ./guix-build-user-takeover-fix.patch
+    (fetchDebianPatch {
+      inherit pname version;
+      debianRevision = "8";
+      patch = "security/0101-daemon-Sanitize-failed-build-outputs-prior-to-exposi.patch";
+      hash = "sha256-cbra/+K8+xHUJrCKRgzJCuhMBpzCSjgjosKAkJx7QIo=";
+    })
+    (fetchDebianPatch {
+      inherit pname version;
+      debianRevision = "8";
+      patch = "security/0102-daemon-Sanitize-successful-build-outputs-prior-to-ex.patch";
+      hash = "sha256-mOnlYtpIuYL+kDvSNuXuoDLJP03AA9aI2ALhap+0NOM=";
+    })
  ];

  postPatch = ''