From: Mark H Weaver <mhw@netris.org>
To: Leo Famulari <leo@famulari.name>
Cc: 27429@debbugs.gnu.org
Subject: bug#27429: Stack clash (CVE-2017-1000366 etc)
Date: Thu, 22 Jun 2017 02:44:11 -0400 [thread overview]
Message-ID: <87zid0iksk.fsf@netris.org> (raw)
In-Reply-To: <20170622000336.GB4510@jasmine.lan> (Leo Famulari's message of "Wed, 21 Jun 2017 20:03:36 -0400")
Leo Famulari <leo@famulari.name> writes:
> On Wed, Jun 21, 2017 at 07:52:27PM -0400, Leo Famulari wrote:
>> On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
>> > Had to make a small change to the patch, it turns out it couldn't build
>> > the source for glibc@2.21, so I changed the source to inherit from
>> > glibc@2.22 and not just from glibc. It doesn't change anything for the
>> > actual glibc@2.25.
>> >
>> > --
>> > Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
>> > GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
>> > Confidentiality cannot be guaranteed on emails sent or received unencrypted
>>
>> > From ef14fa6db5eaedabbaa092cbed2b6f8ee903837c Mon Sep 17 00:00:00 2001
>> > From: Efraim Flashner <efraim@flashner.co.il>
>> > Date: Mon, 19 Jun 2017 23:13:53 +0300
>> > Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
>> >
>> > * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
>> > (glibc-2.25-fixed): New variable.
>> > (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patches.
>> > [replacement]: New field.
>> > (glibc-locales)[replacement]: New field.
>> > * gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New field.
The commit log should mention the two packages that were converted to
use 'package/inherit'.
>> > * gnu/packages/patches/glibc-CVE-2017-1000366.patch,
>> > gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch,
>> > gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files.
>> > * gnu/local.mk (dist_patch_DATA): Add them.
Also, this patch includes some other unrelated fixes, such as changing
"gnu" to "%D%" in local.mk. It would be good to split those off into
separate commits.
>> Thanks, I'm building a bare-bones disk image to test this patch.
>
> Hm, I noticed the bootstrap binaries being downloaded, so I don't think
> this patch applies the graft without causing a full rebuild.
It's likely that this is because of the new behavior of Hydra, where
NARs that haven't been fetched in the last 14 days are deleted, and then
those substitutes will fail the next time they are requested.
In this system fetching substitutes that are not often requested will
often fail. One must try to fetch them, and then wait a while for Hydra
to rebuild the NARs, and then try again later. FWIW, I don't like this
approach, but it's what we have for now.
Mark
next prev parent reply other threads:[~2017-06-22 6:45 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-19 22:25 bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
2017-06-19 23:05 ` Leo Famulari
2017-06-20 0:42 ` Leo Famulari
2017-06-20 0:49 ` Leo Famulari
2017-06-20 7:18 ` Efraim Flashner
2017-06-20 13:16 ` Leo Famulari
2017-06-20 21:44 ` Mark H Weaver
2017-06-21 8:41 ` Efraim Flashner
2017-06-21 9:50 ` Efraim Flashner
2017-06-21 23:52 ` Leo Famulari
2017-06-22 0:03 ` Leo Famulari
2017-06-22 6:44 ` Mark H Weaver [this message]
2017-06-22 16:17 ` Leo Famulari
2017-06-22 18:34 ` Leo Famulari
2017-06-22 19:25 ` Leo Famulari
2017-06-29 10:58 ` Ludovic Courtès
2017-06-29 15:49 ` Mark H Weaver
2017-06-29 20:06 ` Ludovic Courtès
2017-06-29 21:03 ` bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)] Leo Famulari
2017-06-29 22:27 ` Ludovic Courtès
2017-06-30 6:47 ` Leo Famulari
2017-06-30 12:59 ` Ludovic Courtès
2017-06-23 17:20 ` bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
2017-06-23 18:36 ` Mark H Weaver
2017-06-23 18:54 ` Leo Famulari
2017-06-23 20:03 ` Mark H Weaver
2017-06-24 7:11 ` Mark H Weaver
2017-06-26 8:41 ` Ludovic Courtès
2017-06-26 11:19 ` Mark H Weaver
2017-06-27 13:57 ` Ludovic Courtès
2017-06-28 21:55 ` Leo Famulari
2017-06-20 3:31 ` Mark H Weaver
2017-06-25 9:38 ` bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check Danny Milosavljevic
2017-06-25 10:41 ` Marius Bakke
2017-06-25 13:19 ` Leo Famulari
2017-07-20 15:54 ` bug#27429: Stack clash (CVE-2017-1000366 etc) Ludovic Courtès
2017-07-20 19:13 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zid0iksk.fsf@netris.org \
--to=mhw@netris.org \
--cc=27429@debbugs.gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).