From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: bug#27429: Stack clash (CVE-2017-1000366 etc)
Date: Fri, 23 Jun 2017 13:20:38 -0400
Message-ID: <20170623172038.GA6052@jasmine.lan>
References: <20170619222550.GA29289@jasmine.lan>
	<20170620004920.GB31586@jasmine.lan>
	<20170620071857.GA2768@macbook42.flashner.co.il>
	<87shiumj05.fsf@netris.org>
	<20170621084134.GA2870@macbook42.flashner.co.il>
	<20170621095045.GB2870@macbook42.flashner.co.il>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="bg08WKrSYDhXBjb5"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49667)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dOSHV-0008FD-KD
	for bug-guix@gnu.org; Fri, 23 Jun 2017 13:22:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dOSHS-0002A0-Dy
	for bug-guix@gnu.org; Fri, 23 Jun 2017 13:22:05 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:60263)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dOSHS-00029u-4T
	for bug-guix@gnu.org; Fri, 23 Jun 2017 13:22:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.27429.B27429.149823847125072@debbugs.gnu.org>
Content-Disposition: inline
In-Reply-To: <20170621095045.GB2870@macbook42.flashner.co.il>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Efraim Flashner <efraim@flashner.co.il>
Cc: 27429@debbugs.gnu.org


--bg08WKrSYDhXBjb5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
>=20
> * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
> (glibc-2.25-fixed): New variable.
> (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patches.
> [replacement]: New field.
> (glibc-locales)[replacement]: New field.
> * gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New fie=
ld.
> * gnu/packages/patches/glibc-CVE-2017-1000366.patch,
> gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch,
> gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.

I've applied this patch to my Guix-on-foreign-distro workstation.
Everything seems to be working so far.

I noticed that grafted packages do not seem refer directly to the
replacement glibc. For example:

$ ./pre-inst-env guix build -e '(@@ (gnu packages base) glibc-2.25-patched)'
/gnu/store/kczijfli8cb0qjyrfzbrd06bdrpic7lx-glibc-2.25-debug
/gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25
$ guix gc --references /gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.=
25
/gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25
/gnu/store/946hwcxnd9w13gyqprs0fzkmyyz4hdar-bash-static-4.4.12
/gnu/store/n4fmp3fj1yam5ijwa64irg7glvzsq4i1-bash-4.4.12
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
$ guix gc --references $(./pre-inst-env guix build libressl)
/gnu/store/7ahy5yw88wq1fg1lmr84vy958sgzgp5g-libressl-2.5.4
/gnu/store/p8k2id55pynzjmaixlns94phvr7mz5ls-gcc-5.4.0-lib
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25

However, I haven't had time to dig in and wrap my head around the glibc
packages.

By the way, Qualys will probably begin publishing their exploits on
Tuesday [0]:

"We have discussed this internally, and we will first publish the Stack
Clash exploits and proofs-of-concepts that we sent to the distros@ and
linux-distros@ lists, plus our Linux ld.so exploit for amd64, and our
Solaris rsh exploit.

We will do so next Tuesday, but we will publish our Linux exploits and
proofs-of-concept if and only if Fedora updates are ready by then, our
NetBSD proof-of-concept if and only if NetBSD patches are ready by then,
and our FreeBSD proofs-of-concept if and only if FreeBSD patches are
ready by then."

[0] <http://seclists.org/oss-sec/2017/q2/548>

--bg08WKrSYDhXBjb5
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllNTeIACgkQJkb6MLrK
fwj4/Q//bWYiMytTQUUXF73P0imZj0Y8SuywsCa5xi5y3NlHfA47KxiVrEZsAxEx
owzubMbMVIOsdiufEywqDJzd1dXM2ILHHUYAn7sCFmqFYB5MXJGrR+T62yrjviEt
YvbJked0J03tQfEcqt6V/j9yEiBAFkh+PNuEnpoF91emgUW/TGPX1vYdGYpX1IM/
e9OxrW50SQ7wVsUkl0Cm944SqLHze3Eiw5nH33/8DpMp2jGKaT3ojSEeFLqtvT9w
dtq1i2r9eNYPg885U4a5OHjgCaXAhlkM5OHQ6W/jFLqK3v3FDW3i3rFq9v1noIuf
+Bxt1Uo/CoshGLwInvrlFtNJwGf9WCmNmSUCMOhlHpLU5gSjCuvHnLNywxc/FtVw
jmSC1gv+dP8zqdxEB0moCW/xgL0aByzwc724qaSKPvWFgbA3MJ+W0JnbBQ9/MSgn
e4JzUqt0o1HcLyvrO8ZLyFN4I92LdpFS25+B6JjrmmbUyDU7PEn38YLhTb9DjZi9
vdsWr7Pqq7OtJ5cH73J7wRBk0VBIvnBThYtCloateT3KVsDwJpvqSDN1wdKNl459
6bJNYMAlX437t+RUIzaFEfr5d1yDkyyNvBp67zwKehv4ZLo9AHfb6HOk7uZIUYj4
E3izpUxvCueiJAGlgOFKnxemqbu1OGrpl0N2FBGXrQcVbGgo9wo=
=+kXw
-----END PGP SIGNATURE-----

--bg08WKrSYDhXBjb5--