From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: bug#27429: Stack clash (CVE-2017-1000366 etc) Date: Thu, 22 Jun 2017 02:44:11 -0400 Message-ID: <87zid0iksk.fsf@netris.org> References: <20170619222550.GA29289@jasmine.lan> <20170620004920.GB31586@jasmine.lan> <20170620071857.GA2768@macbook42.flashner.co.il> <87shiumj05.fsf@netris.org> <20170621084134.GA2870@macbook42.flashner.co.il> <20170621095045.GB2870@macbook42.flashner.co.il> <20170621235227.GA4510@jasmine.lan> <20170622000336.GB4510@jasmine.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:55177) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dNvrX-0001Qp-3S for bug-guix@gnu.org; Thu, 22 Jun 2017 02:45:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dNvrS-0005vQ-6W for bug-guix@gnu.org; Thu, 22 Jun 2017 02:45:07 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:57859) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dNvrS-0005vM-2n for bug-guix@gnu.org; Thu, 22 Jun 2017 02:45:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dNvrR-0008Ok-MT for bug-guix@gnu.org; Thu, 22 Jun 2017 02:45:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <20170622000336.GB4510@jasmine.lan> (Leo Famulari's message of "Wed, 21 Jun 2017 20:03:36 -0400") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Leo Famulari Cc: 27429@debbugs.gnu.org Leo Famulari writes: > On Wed, Jun 21, 2017 at 07:52:27PM -0400, Leo Famulari wrote: >> On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote: >> > Had to make a small change to the patch, it turns out it couldn't build >> > the source for glibc@2.21, so I changed the source to inherit from >> > glibc@2.22 and not just from glibc. It doesn't change anything for the >> > actual glibc@2.25. >> >=20 >> > --=20 >> > Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99= =D7=9D =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 >> > GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 >> > Confidentiality cannot be guaranteed on emails sent or received unencr= ypted >>=20 >> > From ef14fa6db5eaedabbaa092cbed2b6f8ee903837c Mon Sep 17 00:00:00 2001 >> > From: Efraim Flashner >> > Date: Mon, 19 Jun 2017 23:13:53 +0300 >> > Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366. >> >=20 >> > * gnu/packages/base.scm (glibc/linux)[replacement]: New field. >> > (glibc-2.25-fixed): New variable. >> > (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patches. >> > [replacement]: New field. >> > (glibc-locales)[replacement]: New field. >> > * gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New = field. The commit log should mention the two packages that were converted to use 'package/inherit'. >> > * gnu/packages/patches/glibc-CVE-2017-1000366.patch, >> > gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch, >> > gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files. >> > * gnu/local.mk (dist_patch_DATA): Add them. Also, this patch includes some other unrelated fixes, such as changing "gnu" to "%D%" in local.mk. It would be good to split those off into separate commits. >> Thanks, I'm building a bare-bones disk image to test this patch. > > Hm, I noticed the bootstrap binaries being downloaded, so I don't think > this patch applies the graft without causing a full rebuild. It's likely that this is because of the new behavior of Hydra, where NARs that haven't been fetched in the last 14 days are deleted, and then those substitutes will fail the next time they are requested. In this system fetching substitutes that are not often requested will often fail. One must try to fetch them, and then wait a while for Hydra to rebuild the NARs, and then try again later. FWIW, I don't like this approach, but it's what we have for now. Mark