From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: bug#27429: Stack clash (CVE-2017-1000366 etc)
Date: Wed, 21 Jun 2017 20:03:36 -0400
Message-ID: <20170622000336.GB4510@jasmine.lan>
References: <20170619222550.GA29289@jasmine.lan>
	<20170620004920.GB31586@jasmine.lan>
	<20170620071857.GA2768@macbook42.flashner.co.il>
	<87shiumj05.fsf@netris.org>
	<20170621084134.GA2870@macbook42.flashner.co.il>
	<20170621095045.GB2870@macbook42.flashner.co.il>
	<20170621235227.GA4510@jasmine.lan>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="GID0FwUMdk1T2AWN"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:48370)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dNpcQ-0004eM-7r
	for bug-guix@gnu.org; Wed, 21 Jun 2017 20:05:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dNpcM-0006em-VC
	for bug-guix@gnu.org; Wed, 21 Jun 2017 20:05:06 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:57709)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dNpcM-0006ef-J4
	for bug-guix@gnu.org; Wed, 21 Jun 2017 20:05:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dNpcM-00024P-83
	for bug-guix@gnu.org; Wed, 21 Jun 2017 20:05:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.27429.B27429.14980898617904@debbugs.gnu.org>
Content-Disposition: inline
In-Reply-To: <20170621235227.GA4510@jasmine.lan>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Efraim Flashner <efraim@flashner.co.il>
Cc: 27429@debbugs.gnu.org


--GID0FwUMdk1T2AWN
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Jun 21, 2017 at 07:52:27PM -0400, Leo Famulari wrote:
> On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
> > Had to make a small change to the patch, it turns out it couldn't build
> > the source for glibc@2.21, so I changed the source to inherit from
> > glibc@2.22 and not just from glibc. It doesn't change anything for the
> > actual glibc@2.25.
> >=20
> > --=20
> > Efraim Flashner   <efraim@flashner.co.il>   =D7=90=D7=A4=D7=A8=D7=99=D7=
=9D =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8
> > GPG key =3D A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
> > Confidentiality cannot be guaranteed on emails sent or received unencry=
pted
>=20
> > From ef14fa6db5eaedabbaa092cbed2b6f8ee903837c Mon Sep 17 00:00:00 2001
> > From: Efraim Flashner <efraim@flashner.co.il>
> > Date: Mon, 19 Jun 2017 23:13:53 +0300
> > Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
> >=20
> > * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
> > (glibc-2.25-fixed): New variable.
> > (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patches.
> > [replacement]: New field.
> > (glibc-locales)[replacement]: New field.
> > * gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New f=
ield.
> > * gnu/packages/patches/glibc-CVE-2017-1000366.patch,
> > gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch,
> > gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files.
> > * gnu/local.mk (dist_patch_DATA): Add them.
>=20
> Thanks, I'm building a bare-bones disk image to test this patch.

Hm, I noticed the bootstrap binaries being downloaded, so I don't think
this patch applies the graft without causing a full rebuild.

--GID0FwUMdk1T2AWN
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllLCVgACgkQJkb6MLrK
fwg7/BAAtG0IAViE6NOGmPCm8j1qX7B+a+ctqDC7GkuZYrQTAajc/VeXX9DT+K+j
FY5lTeUKOJOmzutbuXC88BHyGURficKkE2urGfxGXmPIW4ZcKoiKVH3HSIuIHNuX
dx5HEMImOypy6PKIP+iWmQlYOZAdjdLZUnqgbHwoqamSeW0sBUL8kR3YvMOTL8RL
zLGClZPPVbKl1CkNTy6EKnfyavq8bnaXKIC0W67k4bJy5BQ+eQ/+8s7MKWOER7LH
6tzTVOWbXCn32q0gd6+Kh7fbpm0xNffwBY+Jjer/g3whVK08iJ81KOTdKlmU5Knm
ikDD03of6J905Y0BEnHjhnFw8UX4PwWLscyCyLloBRwx89lvgabUh1O+aGjY25sb
R+wF3SOo3SffLiJoDFebA3a/gZwtKBboTEryBgkJmbUlJwiwzhc9+cO6R1uYUmux
mlE5yxwP7UuwAfNyU/lPE6PSwhod5CPEyxGz6YKLuXFvBZZY3saVtsNowWKVz8UZ
8ZeS+tDo3RPf0UsxUX0E2fNZtW2wf2HpWh6zjHZUKWWsMyUbiVKdfa3iUleTWbjl
TYQhRR67kiPu9BaYJFyUL/ihn2rtKPVXaF0XfAC+IP6d/i/plvfAU0uJB2xJSw5v
4JLhuNVBALHEMbCSJbSYY2kdqFho5YdCyeyHIRvF3NI7rfvQ8kA=
=sl+S
-----END PGP SIGNATURE-----

--GID0FwUMdk1T2AWN--