From aec99f8c2176a59e8789ef6644f60cfbfea0e6c6 Mon Sep 17 00:00:00 2001
From: Liam Hupfer <liam@hpfr.net>
Date: Sun, 3 Nov 2024 16:58:39 -0600
Subject: [PATCH] guix: fix build user takeover patch

The preceding fix only applies one of two patches, which breaks builds:

   error: getting attributes of path `/gnu/store/<item>': No such file
   or directory

The Debian package maintainer, Vagrant Cascadian, is a frequent Guix
committer, so the Debian package is a suitable upstream patch source
when Guix commits require backporting to the current release tarball.

Fixes: 633a3b8f1913 ("guix: build user takeover patch")
---
 pkgs/by-name/gu/guix/package.nix | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/pkgs/by-name/gu/guix/package.nix b/pkgs/by-name/gu/guix/package.nix
index 5752a45ae6356..feb26b3ea606d 100644
--- a/pkgs/by-name/gu/guix/package.nix
+++ b/pkgs/by-name/gu/guix/package.nix
@@ -3,6 +3,7 @@
   stdenv,
   fetchurl,
   fetchpatch,
+  fetchDebianPatch,
   autoreconfHook,
   disarchive,
   git,
@@ -57,9 +58,19 @@ stdenv.mkDerivation rec {
       url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=ff1251de0bc327ec478fc66a562430fbf35aef42";
       hash = "sha256-f4KWDVrvO/oI+4SCUHU5GandkGtHrlaM1BWygM/Qlao=";
     })
-    # manual port of build user takeover remediation commit
     # see https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability
-    ./guix-build-user-takeover-fix.patch
+    (fetchDebianPatch {
+      inherit pname version;
+      debianRevision = "8";
+      patch = "security/0101-daemon-Sanitize-failed-build-outputs-prior-to-exposi.patch";
+      hash = "sha256-cbra/+K8+xHUJrCKRgzJCuhMBpzCSjgjosKAkJx7QIo=";
+    })
+    (fetchDebianPatch {
+      inherit pname version;
+      debianRevision = "8";
+      patch = "security/0102-daemon-Sanitize-successful-build-outputs-prior-to-ex.patch";
+      hash = "sha256-mOnlYtpIuYL+kDvSNuXuoDLJP03AA9aI2ALhap+0NOM=";
+    })
   ];
 
   postPatch = ''