From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: 70581@debbugs.gnu.org
Cc: "Maxim Cournoyer" <maxim.cournoyer@gmail.com>,
guix-security@gnu.org, McSinyx <cnx@loang.net>,
"Liliana Marie Prikler" <liliana.prikler@ist.tugraz.at>,
"Ludovic Courtès" <ludo@gnu.org>,
"Andreas Enge" <andreas@enge.fr>,
"Janneke Nieuwenhuizen" <janneke@gnu.org>
Subject: bug#70581: [PATCH] gnu: glibc: Graft with fix for CVE-2024-2961.
Date: Sat, 14 Dec 2024 23:20:53 +0900 [thread overview]
Message-ID: <f7aeb1c1fcdf123782ddf51257a573d614d1c02d.1734186002.git.maxim.cournoyer@gmail.com> (raw)
In-Reply-To: <D0TUHV4220TM.G0XZHTPBKVOQ@guix>
* gnu/packages/base.scm (%glibc-patches): New variable.
(glibc) [source]: Use it.
[properties]: Mark CVE-2024-2961 as hidden (resolved).
[replacement]: Add field to graft with...
(glibc/fixed): ... this new package.
Fixes: <https://issues.guix.gnu.org/70581>
Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9
---
gnu/packages/base.scm | 55 ++++++++++++++++++++++++++++++++-----------
1 file changed, 41 insertions(+), 14 deletions(-)
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index b3f54798c4..a060ed556d 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -878,6 +878,21 @@ (define* (make-ld-wrapper name #:key
(home-page "https://www.gnu.org/software/guix//")
(license gpl3+)))
+(define %glibc-patches
+ (list "glibc-2.39-git-updates.patch"
+ "glibc-ldd-powerpc.patch"
+ "glibc-2.38-ldd-x86_64.patch"
+ "glibc-dl-cache.patch"
+ "glibc-2.37-versioned-locpath.patch"
+ ;; "glibc-allow-kernel-2.6.32.patch"
+ "glibc-reinstate-prlimit64-fallback.patch"
+ "glibc-supported-locales.patch"
+ "glibc-2.37-hurd-clock_t_centiseconds.patch"
+ "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch"
+ "glibc-hurd-mach-print.patch"
+ "glibc-hurd-gettyent.patch"
+ "glibc-hurd-getauxval.patch"))
+
(define-public glibc
;; This is the GNU C Library, used on GNU/Linux and GNU/Hurd. Prior to
;; version 2.28, GNU/Hurd used a different glibc branch.
@@ -890,21 +905,11 @@ (define-public glibc
(sha256
(base32
"09nrwb0ksbah9k35jchd28xxp2hidilqdgz7b8v5f30pz1yd8yzp"))
- (patches (search-patches "glibc-2.39-git-updates.patch"
- "glibc-ldd-powerpc.patch"
- "glibc-2.38-ldd-x86_64.patch"
- "glibc-dl-cache.patch"
- "glibc-2.37-versioned-locpath.patch"
- ;; "glibc-allow-kernel-2.6.32.patch"
- "glibc-reinstate-prlimit64-fallback.patch"
- "glibc-supported-locales.patch"
- "glibc-2.37-hurd-clock_t_centiseconds.patch"
- "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch"
- "glibc-hurd-mach-print.patch"
- "glibc-hurd-gettyent.patch"
- "glibc-hurd-getauxval.patch"))))
- (properties `((lint-hidden-cve . ("CVE-2024-33601" "CVE-2024-33602"
+ (patches (map search-patch %glibc-patches))))
+ (properties `((lint-hidden-cve . ("CVE-2024-2961"
+ "CVE-2024-33601" "CVE-2024-33602"
"CVE-2024-33600" "CVE-2024-33599"))))
+ (replacement glibc/fixed)
(build-system gnu-build-system)
;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
@@ -1182,6 +1187,28 @@ (define-public glibc
(license lgpl2.0+)
(home-page "https://www.gnu.org/software/libc/")))
+(define glibc/fixed
+ (package
+ (inherit glibc)
+ (name "glibc")
+ (version (package-version glibc))
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "git://sourceware.org/git/glibc.git")
+ ;; This is the latest commit from the
+ ;; 'release/2.39/master' branch, where CVEs and other
+ ;; important bug fixes are cherry picked.
+ (commit "2c882bf9c15d206aaf04766d1b8e3ae5b1002cc2")))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "111yf24g0qcfcxywfzrilmjxysahlbkzxfimcz9rq8p00qzvvf51"))
+ (patches (map search-patch
+ (fold (cut delete <...>)
+ %glibc-patches
+ '("glibc-2.39-git-updates.patch"))))))))
+
;; Define a variation of glibc which uses the default /etc/ld.so.cache, useful
;; in FHS containers.
(define-public glibc-for-fhs
base-commit: 93e1586116f39a30ba1fcb67bd839a43533dfaf4
--
2.46.0
next prev parent reply other threads:[~2024-12-14 14:23 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-26 6:44 bug#70581: PHP, glibc, and CVE-2024-2961 McSinyx via Bug reports for GNU Guix
2024-04-26 7:20 ` Liliana Marie Prikler
2024-12-14 14:20 ` Maxim Cournoyer [this message]
2024-12-18 7:31 ` Maxim Cournoyer
2024-12-18 10:07 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f7aeb1c1fcdf123782ddf51257a573d614d1c02d.1734186002.git.maxim.cournoyer@gmail.com \
--to=maxim.cournoyer@gmail.com \
--cc=70581@debbugs.gnu.org \
--cc=andreas@enge.fr \
--cc=cnx@loang.net \
--cc=guix-security@gnu.org \
--cc=janneke@gnu.org \
--cc=liliana.prikler@ist.tugraz.at \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).