From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: bug#27429: Stack clash (CVE-2017-1000366 etc)
Date: Tue, 20 Jun 2017 09:16:21 -0400
Message-ID: <20170620131621.GA25394@jasmine.lan>
References: <20170619222550.GA29289@jasmine.lan>
	<20170620004920.GB31586@jasmine.lan>
	<20170620071857.GA2768@macbook42.flashner.co.il>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="4Ckj6UjgE2iN1+kY"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55206)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dNJ1m-0002aF-0N
	for bug-guix@gnu.org; Tue, 20 Jun 2017 09:17:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dNJ1i-0005ks-QV
	for bug-guix@gnu.org; Tue, 20 Jun 2017 09:17:05 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:54320)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dNJ1i-0005km-Fx
	for bug-guix@gnu.org; Tue, 20 Jun 2017 09:17:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dNJ1i-0008KD-4l
	for bug-guix@gnu.org; Tue, 20 Jun 2017 09:17:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.27429.B27429.149796459031961@debbugs.gnu.org>
Content-Disposition: inline
In-Reply-To: <20170620071857.GA2768@macbook42.flashner.co.il>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Efraim Flashner <efraim@flashner.co.il>
Cc: 27429@debbugs.gnu.org


--4Ckj6UjgE2iN1+kY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jun 20, 2017 at 10:18:57AM +0300, Efraim Flashner wrote:
> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
>=20
> * gnu/packages/base.scm (glibc)[replacement]: New field.
> (glibc-2.25-fixed): New variable.
> (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patch.
> [replacement]: New field.
> (glibc-locales)[replacement]: New field.
> * gnu/packages/commencement.scm (glibc-final-with-bootstrap-bash,
> cross-gcc-wrapper, glibc-final)[replacement]: New field.
> * gnu/packages/patches/glibc-CVE-2017-1000366.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.

I'm not sure which glibc packages should be grafted and which should
not. But this patch doesn't seem to have an effect for me. With the
patch applied:

$ ./pre-inst-env guix build glibc
/gnu/store/d13m5axwk9vra6r50rq5wlmvi4vmlfcf-glibc-2.25-debug
/gnu/store/yk29yl8088c8qbj2259mf3879r107dsa-glibc-2.25
$ guix gc --references $(./pre-inst-env guix build gnupg)
/gnu/store/3qz6h4fgjn7n0p6vhqbk0lpv6pil0gr7-pcsc-lite-1.8.22
/gnu/store/5c9hjca0fjn0wq0ycx3b1zzza1ra6crq-npth-1.4
/gnu/store/a8p0j9m2i9jh8pczv2rp4bvmidi026d1-libassuan-2.4.3
/gnu/store/dcc4b6r7npjmhdsah1g6nw1j9wdy635y-sqlite-3.17.0
/gnu/store/dhc2iy059hi91fk55dcv79z09kp6500y-gcc-5.4.0-lib
/gnu/store/g5iwy1hp055y3aipasfxnh7dfnigzi82-gnupg-2.1.21
/gnu/store/hag795ji8p9vqikwp8cibfibpsa39s3n-libgcrypt-1.7.6
/gnu/store/j92kxc1l8h879cc4ss1gbhsq73ddnbsg-libgpg-error-1.26
/gnu/store/jsflzpi7pnc7m5p7cln8bjcma4lsi6hd-gnutls-3.5.D
/gnu/store/jwkcd7siv6fcyl0qsg607bg9c8ap0gqr-zlib-1.2.11
/gnu/store/k7029k5va68lkapbzcycdzj7m5bjb4b8-bash-4.4.12
/gnu/store/rmjlycdgiq8pfy5hfi42qhw3k7p6kdav-glibc-2.25
/gnu/store/sjm2c0dymn3mjl7g0jqbjdbibnqh0iaw-readline-7.0
/gnu/store/xa7q8aspczcmvh0hqyy790mwzgwmfwr3-openldap-2.4.44
/gnu/store/z0xz1z70rwp273chi1gyb9cxzblylzba-libksba-1.3.5

The grafted glibc doesn't appear to be referenced.

--4Ckj6UjgE2iN1+kY
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllJICIACgkQJkb6MLrK
fwhH9RAA8GVjmrUCHcQ4MAcHR9o2oEnyT2bisp34vcuVFKNmHDe1xK1AKeQt3UXj
C31vy8+dtAEB4W6PyW5JzHt5LZ1K7lfc64BaIv2Q3Y3KBbToq/JfiozKvsd5LO8R
HYLI6/yeRfuVijNYqDZ+nAqb3kBZECajTOyFMm+wDtGQ5SzxjwShZqtUDeTOxywc
386HY30OyR3xgD7QAvJOXHYlwlb2tKo/XLrlq9GTwkkiRwxs5/KDNcr7+YRQrmWJ
enB3dIMaPrwgtEFxPR2NEG936C0tw6DjS5ABq6iapbWlXemwnXSy9VAL9AXXnK5k
5IAaHY3D/CcYl8qkzaEOTg+rN2Djemk89mZqy3mZ7FqNB/90kEAIBSP22V0ru0cL
2XdKlJbCQUyLze5FH4XaNgc3yOsohhZ39QDQHrYY9HZ//RnGT0diSRqj6uRRg/PJ
uazzuYRL1jHU0irujiNRAbdKLyKvOh9EdAFjzNc5H/rSe0V8RWTvhi+q7Cd4bcgh
4rbjk+4efJVmHVBb9cuDogY8Ci2c2MK2Wr3mrMgNWLwGLRw8PwqAJ8RySBDW0mN4
7K0p7xotoPPtszPlJGxSTIKUDnDZbevhVXYRfL287VyFPF3lVgsN8tb/73GFqCJq
8WfNoF6Xp4X/WVWdRDvEU92JKT1ELGFGf2gaHVDWy0mUHyKurls=
=bN6H
-----END PGP SIGNATURE-----

--4Ckj6UjgE2iN1+kY--