guix: fix build user takeover patch

The preceding fix only applies one of two patches, which breaks builds: error: getting attributes of path `/gnu/store/<item>': No such file or directory The Debian package maintainer, Vagrant Cascadian, is a frequent Guix committer, so the Debian package is a suitable upstream patch source when Guix commits require backporting to the current release tarball. Fixes: 633a3b8 ("guix: build user takeover patch")
NixOS · Nov 3, 2024 · aec99f8 · aec99f8
1 parent 7ffd9ae
commit aec99f8
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/pkgs/by-name/gu/guix/package.nix b/pkgs/by-name/gu/guix/package.nix
@@ -3,6 +3,7 @@
   stdenv,
   fetchurl,
   fetchpatch,
+  fetchDebianPatch,
   autoreconfHook,
   disarchive,
   git,
@@ -57,9 +58,19 @@ stdenv.mkDerivation rec {
       url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=ff1251de0bc327ec478fc66a562430fbf35aef42";
       hash = "sha256-f4KWDVrvO/oI+4SCUHU5GandkGtHrlaM1BWygM/Qlao=";
     })
-    # manual port of build user takeover remediation commit
     # see https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability
-    ./guix-build-user-takeover-fix.patch
+    (fetchDebianPatch {
+      inherit pname version;
+      debianRevision = "8";
+      patch = "security/0101-daemon-Sanitize-failed-build-outputs-prior-to-exposi.patch";
+      hash = "sha256-cbra/+K8+xHUJrCKRgzJCuhMBpzCSjgjosKAkJx7QIo=";
+    })
+    (fetchDebianPatch {
+      inherit pname version;
+      debianRevision = "8";
+      patch = "security/0102-daemon-Sanitize-successful-build-outputs-prior-to-ex.patch";
+      hash = "sha256-mOnlYtpIuYL+kDvSNuXuoDLJP03AA9aI2ALhap+0NOM=";
+    })
   ];
 
   postPatch = ''