unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#70581: PHP, glibc, and CVE-2024-2961
@ 2024-04-26  6:44 McSinyx via Bug reports for GNU Guix
  2024-04-26  7:20 ` Liliana Marie Prikler
  2024-12-14 14:20 ` bug#70581: [PATCH] gnu: glibc: Graft with fix for CVE-2024-2961 Maxim Cournoyer
  0 siblings, 2 replies; 6+ messages in thread
From: McSinyx via Bug reports for GNU Guix @ 2024-04-26  6:44 UTC (permalink / raw)
  To: 70581

Hello Guix,

Last week, an overflow bug in glibc's iconv(3) was discovered:
https://www.openwall.com/lists/oss-security/2024/04/17/9

It may enable remove code execution through PHP.  Due to
the immutable nature of Guix, is it possible to hotpatch
this using graft, or do we need to rebuild to world?
https://rockylinux.org/news/glibc-vulnerability-april-2024/

Kind regards,
McSinyx




^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#70581: PHP, glibc, and CVE-2024-2961
  2024-04-26  6:44 bug#70581: PHP, glibc, and CVE-2024-2961 McSinyx via Bug reports for GNU Guix
@ 2024-04-26  7:20 ` Liliana Marie Prikler
  2024-12-14 14:20 ` bug#70581: [PATCH] gnu: glibc: Graft with fix for CVE-2024-2961 Maxim Cournoyer
  1 sibling, 0 replies; 6+ messages in thread
From: Liliana Marie Prikler @ 2024-04-26  7:20 UTC (permalink / raw)
  To: McSinyx, 70581; +Cc: guix-security

Hi McSinyx,

security-relevant bugs ought to go to <guix-security@gnu.org>, see [1].
Since a patch exists for glibc all the way back to 2.30, I suppose a
graft can be used and should be performed timely. 

Cheers

[1] https://guix.gnu.org/en/security/





^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#70581: [PATCH] gnu: glibc: Graft with fix for CVE-2024-2961.
  2024-04-26  6:44 bug#70581: PHP, glibc, and CVE-2024-2961 McSinyx via Bug reports for GNU Guix
  2024-04-26  7:20 ` Liliana Marie Prikler
@ 2024-12-14 14:20 ` Maxim Cournoyer
  2024-12-18  7:31   ` bug#70581: PHP, glibc, and CVE-2024-2961 Maxim Cournoyer
  2024-12-18 10:07   ` Ludovic Courtès
  1 sibling, 2 replies; 6+ messages in thread
From: Maxim Cournoyer @ 2024-12-14 14:20 UTC (permalink / raw)
  To: 70581
  Cc: Maxim Cournoyer, guix-security, McSinyx, Liliana Marie Prikler,
	Ludovic Courtès, Andreas Enge, Janneke Nieuwenhuizen

* gnu/packages/base.scm (%glibc-patches): New variable.
(glibc) [source]: Use it.
[properties]: Mark CVE-2024-2961 as hidden (resolved).
[replacement]: Add field to graft with...
(glibc/fixed): ... this new package.

Fixes: <https://issues.guix.gnu.org/70581>
Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9
---
 gnu/packages/base.scm | 55 ++++++++++++++++++++++++++++++++-----------
 1 file changed, 41 insertions(+), 14 deletions(-)

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index b3f54798c4..a060ed556d 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -878,6 +878,21 @@ (define* (make-ld-wrapper name #:key
     (home-page "https://www.gnu.org/software/guix//")
     (license gpl3+)))
 
+(define %glibc-patches
+  (list "glibc-2.39-git-updates.patch"
+        "glibc-ldd-powerpc.patch"
+        "glibc-2.38-ldd-x86_64.patch"
+        "glibc-dl-cache.patch"
+        "glibc-2.37-versioned-locpath.patch"
+        ;; "glibc-allow-kernel-2.6.32.patch"
+        "glibc-reinstate-prlimit64-fallback.patch"
+        "glibc-supported-locales.patch"
+        "glibc-2.37-hurd-clock_t_centiseconds.patch"
+        "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch"
+        "glibc-hurd-mach-print.patch"
+        "glibc-hurd-gettyent.patch"
+        "glibc-hurd-getauxval.patch"))
+
 (define-public glibc
   ;; This is the GNU C Library, used on GNU/Linux and GNU/Hurd.  Prior to
   ;; version 2.28, GNU/Hurd used a different glibc branch.
@@ -890,21 +905,11 @@ (define-public glibc
             (sha256
              (base32
               "09nrwb0ksbah9k35jchd28xxp2hidilqdgz7b8v5f30pz1yd8yzp"))
-            (patches (search-patches "glibc-2.39-git-updates.patch"
-                                     "glibc-ldd-powerpc.patch"
-                                     "glibc-2.38-ldd-x86_64.patch"
-                                     "glibc-dl-cache.patch"
-                                     "glibc-2.37-versioned-locpath.patch"
-                                     ;; "glibc-allow-kernel-2.6.32.patch"
-                                     "glibc-reinstate-prlimit64-fallback.patch"
-                                     "glibc-supported-locales.patch"
-                                     "glibc-2.37-hurd-clock_t_centiseconds.patch"
-                                     "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch"
-                                     "glibc-hurd-mach-print.patch"
-                                     "glibc-hurd-gettyent.patch"
-                                     "glibc-hurd-getauxval.patch"))))
-   (properties `((lint-hidden-cve . ("CVE-2024-33601" "CVE-2024-33602"
+            (patches (map search-patch %glibc-patches))))
+   (properties `((lint-hidden-cve . ("CVE-2024-2961"
+                                     "CVE-2024-33601" "CVE-2024-33602"
                                      "CVE-2024-33600" "CVE-2024-33599"))))
+   (replacement glibc/fixed)
    (build-system gnu-build-system)
 
    ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
@@ -1182,6 +1187,28 @@ (define-public glibc
    (license lgpl2.0+)
    (home-page "https://www.gnu.org/software/libc/")))
 
+(define glibc/fixed
+  (package
+    (inherit glibc)
+    (name "glibc")
+    (version (package-version glibc))
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "git://sourceware.org/git/glibc.git")
+                    ;; This is the latest commit from the
+                    ;; 'release/2.39/master' branch, where CVEs and other
+                    ;; important bug fixes are cherry picked.
+                    (commit "2c882bf9c15d206aaf04766d1b8e3ae5b1002cc2")))
+              (file-name (git-file-name name version))
+              (sha256
+               (base32
+                "111yf24g0qcfcxywfzrilmjxysahlbkzxfimcz9rq8p00qzvvf51"))
+              (patches (map search-patch
+                            (fold (cut delete <...>)
+                                  %glibc-patches
+                                  '("glibc-2.39-git-updates.patch"))))))))
+
 ;; Define a variation of glibc which uses the default /etc/ld.so.cache, useful
 ;; in FHS containers.
 (define-public glibc-for-fhs

base-commit: 93e1586116f39a30ba1fcb67bd839a43533dfaf4
-- 
2.46.0





^ permalink raw reply related	[flat|nested] 6+ messages in thread

* bug#70581: PHP, glibc, and CVE-2024-2961
  2024-12-14 14:20 ` bug#70581: [PATCH] gnu: glibc: Graft with fix for CVE-2024-2961 Maxim Cournoyer
@ 2024-12-18  7:31   ` Maxim Cournoyer
  2024-12-18 10:07   ` Ludovic Courtès
  1 sibling, 0 replies; 6+ messages in thread
From: Maxim Cournoyer @ 2024-12-18  7:31 UTC (permalink / raw)
  To: 70581-done
  Cc: Ludovic Courtès, guix-security, Liliana Marie Prikler,
	Andreas Enge, McSinyx, Janneke Nieuwenhuizen

Hi

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

> * gnu/packages/base.scm (%glibc-patches): New variable.
> (glibc) [source]: Use it.
> [properties]: Mark CVE-2024-2961 as hidden (resolved).
> [replacement]: Add field to graft with...
> (glibc/fixed): ... this new package.
>
> Fixes: <https://issues.guix.gnu.org/70581>
> Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9

Applied.

-- 
Thanks,
Maxim




^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#70581: PHP, glibc, and CVE-2024-2961
  2024-12-14 14:20 ` bug#70581: [PATCH] gnu: glibc: Graft with fix for CVE-2024-2961 Maxim Cournoyer
  2024-12-18  7:31   ` bug#70581: PHP, glibc, and CVE-2024-2961 Maxim Cournoyer
@ 2024-12-18 10:07   ` Ludovic Courtès
  2024-12-19  2:25     ` Maxim Cournoyer
  1 sibling, 1 reply; 6+ messages in thread
From: Ludovic Courtès @ 2024-12-18 10:07 UTC (permalink / raw)
  To: Maxim Cournoyer
  Cc: guix-security, Liliana Marie Prikler, Andreas Enge, 70581,
	McSinyx, Janneke Nieuwenhuizen

Hi,

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

> * gnu/packages/base.scm (%glibc-patches): New variable.
> (glibc) [source]: Use it.
> [properties]: Mark CVE-2024-2961 as hidden (resolved).
> [replacement]: Add field to graft with...
> (glibc/fixed): ... this new package.
>
> Fixes: <https://issues.guix.gnu.org/70581>
> Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9

I’m late to the party, apologies! (I was Cc’d, despite being on
‘core-packages’, weird.)

> +              (patches (map search-patch
> +                            (fold (cut delete <...>)
> +                                  %glibc-patches
> +                                  '("glibc-2.39-git-updates.patch"))))))))

Or: (delete "glibc-2.39-git-updates.patch" (search-patches %glibc-patches)).

Thank you!

Ludo’.




^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#70581: PHP, glibc, and CVE-2024-2961
  2024-12-18 10:07   ` Ludovic Courtès
@ 2024-12-19  2:25     ` Maxim Cournoyer
  0 siblings, 0 replies; 6+ messages in thread
From: Maxim Cournoyer @ 2024-12-19  2:25 UTC (permalink / raw)
  To: Ludovic Courtès
  Cc: guix-security, Liliana Marie Prikler, Andreas Enge, 70581,
	McSinyx, Janneke Nieuwenhuizen

Hi Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

[...]

>> +              (patches (map search-patch
>> +                            (fold (cut delete <...>)
>> +                                  %glibc-patches
>> +                                  '("glibc-2.39-git-updates.patch"))))))))
>
> Or: (delete "glibc-2.39-git-updates.patch" (search-patches %glibc-patches)).

It doesn't seem to work the way you'd intuitively expect, because
search-patches is syntax, and %glibc-patches is a list.  So you at least
need the map and search-patch procedure:

--8<---------------cut here---------------start------------->8---
(delete "glibc-2.39-git-updates.patch" (map search-patch %glibc-patches)).
--8<---------------cut here---------------end--------------->8---

And then the delete has no effect because 'search-path' returns absolute
paths, so the patch to delete is now something like
'/home/maxim/src/guix/gnu/packages/patches/glibc-2.39-git-updates.patch',
for example.

-- 
Thanks,
Maxim




^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2024-12-19  2:28 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-26  6:44 bug#70581: PHP, glibc, and CVE-2024-2961 McSinyx via Bug reports for GNU Guix
2024-04-26  7:20 ` Liliana Marie Prikler
2024-12-14 14:20 ` bug#70581: [PATCH] gnu: glibc: Graft with fix for CVE-2024-2961 Maxim Cournoyer
2024-12-18  7:31   ` bug#70581: PHP, glibc, and CVE-2024-2961 Maxim Cournoyer
2024-12-18 10:07   ` Ludovic Courtès
2024-12-19  2:25     ` Maxim Cournoyer

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).