On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote: > Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366. > > * gnu/packages/base.scm (glibc/linux)[replacement]: New field. > (glibc-2.25-fixed): New variable. > (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patches. > [replacement]: New field. > (glibc-locales)[replacement]: New field. > * gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New field. > * gnu/packages/patches/glibc-CVE-2017-1000366.patch, > gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch, > gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files. > * gnu/local.mk (dist_patch_DATA): Add them. I've applied this patch to my Guix-on-foreign-distro workstation. Everything seems to be working so far. I noticed that grafted packages do not seem refer directly to the replacement glibc. For example: $ ./pre-inst-env guix build -e '(@@ (gnu packages base) glibc-2.25-patched)' /gnu/store/kczijfli8cb0qjyrfzbrd06bdrpic7lx-glibc-2.25-debug /gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25 $ guix gc --references /gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25 /gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25 /gnu/store/946hwcxnd9w13gyqprs0fzkmyyz4hdar-bash-static-4.4.12 /gnu/store/n4fmp3fj1yam5ijwa64irg7glvzsq4i1-bash-4.4.12 /gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25 $ guix gc --references $(./pre-inst-env guix build libressl) /gnu/store/7ahy5yw88wq1fg1lmr84vy958sgzgp5g-libressl-2.5.4 /gnu/store/p8k2id55pynzjmaixlns94phvr7mz5ls-gcc-5.4.0-lib /gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25 However, I haven't had time to dig in and wrap my head around the glibc packages. By the way, Qualys will probably begin publishing their exploits on Tuesday [0]: "We have discussed this internally, and we will first publish the Stack Clash exploits and proofs-of-concepts that we sent to the distros@ and linux-distros@ lists, plus our Linux ld.so exploit for amd64, and our Solaris rsh exploit. We will do so next Tuesday, but we will publish our Linux exploits and proofs-of-concept if and only if Fedora updates are ready by then, our NetBSD proof-of-concept if and only if NetBSD patches are ready by then, and our FreeBSD proofs-of-concept if and only if FreeBSD patches are ready by then." [0]