From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: bug#27429: Stack clash (CVE-2017-1000366 etc) Date: Fri, 23 Jun 2017 14:36:41 -0400 Message-ID: <87mv8yh7pi.fsf@netris.org> References: <20170619222550.GA29289@jasmine.lan> <20170620004920.GB31586@jasmine.lan> <20170620071857.GA2768@macbook42.flashner.co.il> <87shiumj05.fsf@netris.org> <20170621084134.GA2870@macbook42.flashner.co.il> <20170621095045.GB2870@macbook42.flashner.co.il> <20170623172038.GA6052@jasmine.lan> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43332) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dOTS7-0001Iz-FR for bug-guix@gnu.org; Fri, 23 Jun 2017 14:37:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dOTS2-0008Fw-PB for bug-guix@gnu.org; Fri, 23 Jun 2017 14:37:07 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:60300) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dOTS2-0008Fm-LR for bug-guix@gnu.org; Fri, 23 Jun 2017 14:37:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <20170623172038.GA6052@jasmine.lan> (Leo Famulari's message of "Fri, 23 Jun 2017 13:20:38 -0400") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Leo Famulari Cc: 27429@debbugs.gnu.org Leo Famulari writes: > On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote: >> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366. >> >> * gnu/packages/base.scm (glibc/linux)[replacement]: New field. >> (glibc-2.25-fixed): New variable. >> (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patches. >> [replacement]: New field. >> (glibc-locales)[replacement]: New field. >> * gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New field. >> * gnu/packages/patches/glibc-CVE-2017-1000366.patch, >> gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch, >> gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files. >> * gnu/local.mk (dist_patch_DATA): Add them. > > I've applied this patch to my Guix-on-foreign-distro workstation. > Everything seems to be working so far. > > I noticed that grafted packages do not seem refer directly to the > replacement glibc. For example: > > $ ./pre-inst-env guix build -e '(@@ (gnu packages base) glibc-2.25-patched)' > /gnu/store/kczijfli8cb0qjyrfzbrd06bdrpic7lx-glibc-2.25-debug > /gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25 I wouldn't expect them to. Almost(?) nothing in Guix links to the 'glibc' in (gnu packages base), so I wouldn't expect them to link to its replacement either. Most packages are linked with 'glibc-final' in (gnu packages commencement), and we should expect them to now be linked with *its* replacement. Try this to find the expected glibc-final replacement: ./pre-inst-env guix build -e '((@@ (guix packages) package-replacement) (@@ (gnu packages commencement) glibc-final))' > By the way, Qualys will probably begin publishing their exploits on > Tuesday [0]: Thanks for the heads-up, and more generally to your prolific contributions to security in Guix! Mark