core-updates: merged

core-updates: merged

[Ricardo Wurmus]

Hi Guix,

core-updates has been merged.

Thanks to everyone who helped in making this happen!

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

Re: core-updates: merged

[Ludovic Courtès]

Hello Guix!

Ricardo Wurmus <rekado@elephly.net> skribis:

> core-updates has been merged.
>
> Thanks to everyone who helped in making this happen!

Woohoo, indeed!

For the record, some of the goodies there:

  • glibc 2.26+ (almost 2.27!), coreutils 8.28, guile 2.2.3, util-linux
    2.31, etc.

  • Several packages went on a diet: glibc (with “static” output), guile
    (separate “guile-readline” package), guix, mesa.

  • Packages include license notices under share/doc.

  • Mesa includes Vulkan support.

… and probably lots of other things I forgot or didn’t even notice.

Kudos everyone!

Ludo’.

core-updates merged

[Mark H Weaver]

FYI, I just merged core-updates into master.

    Mark

[PATCH] gnu: glibc: Fix CVE-2014-5519

[mhw]

[-- Attachment #1: Type: text/plain, Size: 372 bytes --]

I'll push this patch to core-updates as soon as I've tested it.

https://sourceware.org/bugzilla/show_bug.cgi?id=17187
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8
http://googleprojectzero.blogspot.co.nz/2014/08/the-poisoned-nul-byte-2014-edition.html

I'm not sure what we should do on 'master'.  Thoughts?

     Mark



[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: [PATCH] gnu: glibc: Fix CVE-2014-5519 --]
[-- Type: text/x-patch, Size: 8203 bytes --]

From 4b5770796955011e2a7b2166b38f8f6b3a6d6757 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Tue, 26 Aug 2014 14:44:14 -0400
Subject: [PATCH] gnu: glibc: Fix CVE-2014-5519.

* gnu/packages/patches/glibc-CVE-2014-5519.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/base.scm (glibc): Add the patch.
---
 gnu-system.am                                  |   1 +
 gnu/packages/base.scm                          |   3 +-
 gnu/packages/patches/glibc-CVE-2014-5519.patch | 211 +++++++++++++++++++++++++
 3 files changed, 214 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/glibc-CVE-2014-5519.patch

diff --git a/gnu-system.am b/gnu-system.am
index f24da85..a14781b 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -311,6 +311,7 @@ dist_patch_DATA =						\
   gnu/packages/patches/glib-tests-prlimit.patch			\
   gnu/packages/patches/glib-tests-timer.patch			\
   gnu/packages/patches/glibc-bootstrap-system.patch		\
+  gnu/packages/patches/glibc-CVE-2014-5519.patch		\
   gnu/packages/patches/glibc-ldd-x86_64.patch			\
   gnu/packages/patches/gnunet-fix-scheduler.patch		\
   gnu/packages/patches/gnunet-fix-tests.patch    		\
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 30176cf..8c4f0eb 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -384,7 +384,8 @@ library for working with executable and object formats is also included.")
                 (("use_ldconfig=yes")
                  "use_ldconfig=no")))
             (modules '((guix build utils)))
-            (patches (list (search-patch "glibc-ldd-x86_64.patch")))))
+            (patches (list (search-patch "glibc-CVE-2014-5519.patch")
+                           (search-patch "glibc-ldd-x86_64.patch")))))
    (build-system gnu-build-system)
 
    ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
diff --git a/gnu/packages/patches/glibc-CVE-2014-5519.patch b/gnu/packages/patches/glibc-CVE-2014-5519.patch
new file mode 100644
index 0000000..fc9acd4
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2014-5519.patch
@@ -0,0 +1,211 @@
+Remove support for loadable gconv transliteration modules.
+The support for transliteration modules has been non-functional for
+over a decade, and the removal is prompted by security defects.  The
+normal gconv conversion modules are still supported.  Transliteration
+with //TRANSLIT is still possible, and the //IGNORE specifier
+continues to be  supported. (CVE-2014-5519)
+
+Based on upstream commit a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8 by
+Florian Weimer <fweimer@redhat.com>.
+
+--- glibc-2.19/ChangeLog.orig	2014-02-07 04:04:38.000000000 -0500
++++ glibc-2.19/ChangeLog	2014-08-26 14:35:12.368861387 -0400
+@@ -1,3 +1,10 @@
++2014-08-26  Florian Weimer  <fweimer@redhat.com>
++
++	[BZ #17187]
++	* iconv/gconv_trans.c (struct known_trans, search_tree, lock,
++	trans_compare, open_translit, __gconv_translit_find):
++	Remove module loading code.
++
+ 2014-02-06  Carlos O'Donell  <carlos@redhat.com>
+ 
+ 	[BZ #16529]
+--- glibc-2.19/iconv/gconv_trans.c.orig	2014-02-07 04:04:38.000000000 -0500
++++ glibc-2.19/iconv/gconv_trans.c	2014-08-26 14:37:26.269525364 -0400
+@@ -238,181 +238,12 @@
+   return __GCONV_ILLEGAL_INPUT;
+ }
+ 
+-
+-/* Structure to represent results of found (or not) transliteration
+-   modules.  */
+-struct known_trans
+-{
+-  /* This structure must remain the first member.  */
+-  struct trans_struct info;
+-
+-  char *fname;
+-  void *handle;
+-  int open_count;
+-};
+-
+-
+-/* Tree with results of previous calls to __gconv_translit_find.  */
+-static void *search_tree;
+-
+-/* We modify global data.   */
+-__libc_lock_define_initialized (static, lock);
+-
+-
+-/* Compare two transliteration entries.  */
+-static int
+-trans_compare (const void *p1, const void *p2)
+-{
+-  const struct known_trans *s1 = (const struct known_trans *) p1;
+-  const struct known_trans *s2 = (const struct known_trans *) p2;
+-
+-  return strcmp (s1->info.name, s2->info.name);
+-}
+-
+-
+-/* Open (maybe reopen) the module named in the struct.  Get the function
+-   and data structure pointers we need.  */
+-static int
+-open_translit (struct known_trans *trans)
+-{
+-  __gconv_trans_query_fct queryfct;
+-
+-  trans->handle = __libc_dlopen (trans->fname);
+-  if (trans->handle == NULL)
+-    /* Not available.  */
+-    return 1;
+-
+-  /* Find the required symbol.  */
+-  queryfct = __libc_dlsym (trans->handle, "gconv_trans_context");
+-  if (queryfct == NULL)
+-    {
+-      /* We cannot live with that.  */
+-    close_and_out:
+-      __libc_dlclose (trans->handle);
+-      trans->handle = NULL;
+-      return 1;
+-    }
+-
+-  /* Get the context.  */
+-  if (queryfct (trans->info.name, &trans->info.csnames, &trans->info.ncsnames)
+-      != 0)
+-    goto close_and_out;
+-
+-  /* Of course we also have to have the actual function.  */
+-  trans->info.trans_fct = __libc_dlsym (trans->handle, "gconv_trans");
+-  if (trans->info.trans_fct == NULL)
+-    goto close_and_out;
+-
+-  /* Now the optional functions.  */
+-  trans->info.trans_init_fct =
+-    __libc_dlsym (trans->handle, "gconv_trans_init");
+-  trans->info.trans_context_fct =
+-    __libc_dlsym (trans->handle, "gconv_trans_context");
+-  trans->info.trans_end_fct =
+-    __libc_dlsym (trans->handle, "gconv_trans_end");
+-
+-  trans->open_count = 1;
+-
+-  return 0;
+-}
+-
+-
+ int
+ internal_function
+ __gconv_translit_find (struct trans_struct *trans)
+ {
+-  struct known_trans **found;
+-  const struct path_elem *runp;
+-  int res = 1;
+-
+-  /* We have to have a name.  */
+-  assert (trans->name != NULL);
+-
+-  /* Acquire the lock.  */
+-  __libc_lock_lock (lock);
+-
+-  /* See whether we know this module already.  */
+-  found = __tfind (trans, &search_tree, trans_compare);
+-  if (found != NULL)
+-    {
+-      /* Is this module available?  */
+-      if ((*found)->handle != NULL)
+-	{
+-	  /* Maybe we have to reopen the file.  */
+-	  if ((*found)->handle != (void *) -1)
+-	    /* The object is not unloaded.  */
+-	    res = 0;
+-	  else if (open_translit (*found) == 0)
+-	    {
+-	      /* Copy the data.  */
+-	      *trans = (*found)->info;
+-	      (*found)->open_count++;
+-	      res = 0;
+-	    }
+-	}
+-    }
+-  else
+-    {
+-      size_t name_len = strlen (trans->name) + 1;
+-      int need_so = 0;
+-      struct known_trans *newp;
+-
+-      /* We have to continue looking for the module.  */
+-      if (__gconv_path_elem == NULL)
+-	__gconv_get_path ();
+-
+-      /* See whether we have to append .so.  */
+-      if (name_len <= 4 || memcmp (&trans->name[name_len - 4], ".so", 3) != 0)
+-	need_so = 1;
+-
+-      /* Create a new entry.  */
+-      newp = (struct known_trans *) malloc (sizeof (struct known_trans)
+-					    + (__gconv_max_path_elem_len
+-					       + name_len + 3)
+-					    + name_len);
+-      if (newp != NULL)
+-	{
+-	  char *cp;
+-
+-	  /* Clear the struct.  */
+-	  memset (newp, '\0', sizeof (struct known_trans));
+-
+-	  /* Store a copy of the module name.  */
+-	  newp->info.name = cp = (char *) (newp + 1);
+-	  cp = __mempcpy (cp, trans->name, name_len);
+-
+-	  newp->fname = cp;
+-
+-	  /* Search in all the directories.  */
+-	  for (runp = __gconv_path_elem; runp->name != NULL; ++runp)
+-	    {
+-	      cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name),
+-			      trans->name, name_len);
+-	      if (need_so)
+-		memcpy (cp, ".so", sizeof (".so"));
+-
+-	      if (open_translit (newp) == 0)
+-		{
+-		  /* We found a module.  */
+-		  res = 0;
+-		  break;
+-		}
+-	    }
+-
+-	  if (res)
+-	    newp->fname = NULL;
+-
+-	  /* In any case we'll add the entry to our search tree.  */
+-	  if (__tsearch (newp, &search_tree, trans_compare) == NULL)
+-	    {
+-	      /* Yickes, this should not happen.  Unload the object.  */
+-	      res = 1;
+-	      /* XXX unload here.  */
+-	    }
+-	}
+-    }
+-
+-  __libc_lock_unlock (lock);
+-
+-  return res;
++  /* Transliteration module loading has been removed because it never
++     worked as intended and suffered from a security vulnerability.
++     Consequently, this function always fails.  */
++  return 1;
+ }
-- 
1.8.4

Re: [PATCH] gnu: glibc: Fix CVE-2014-5519

[Ludovic Courtès]

mhw@netris.org skribis:

> I'll push this patch to core-updates as soon as I've tested it.
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=17187
> https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8
> http://googleprojectzero.blogspot.co.nz/2014/08/the-poisoned-nul-byte-2014-edition.html
>
> I'm not sure what we should do on 'master'.  Thoughts?

Since it permits root privilege escalation, and there’s a documented
example on how to do it, the general rule IMO should be that we should
apply it.

However, Hydra is currently in a bad state, esp. disk-space-wise, so I’m
afraid this would prevent us from deploying the fix efficiently.  :-/

So I’m inclined to just leave it on core-updates for now.  WDYT?

That said, perhaps now is a good time to write down rules on how to
handle CVEs.  Would you like to have a stab at it?

Thanks,
Ludo’.

Re: [PATCH] gnu: glibc: Fix CVE-2014-5519

[Andreas Enge]

On Wed, Aug 27, 2014 at 11:22:14AM +0200, Ludovic Courtès wrote:
> So I’m inclined to just leave it on core-updates for now.  WDYT?

As the fix entails essentially a complete rebuild of our packages, how about
merging core-updates back into master now?

Andreas

Re: [PATCH] gnu: glibc: Fix CVE-2014-5519

[Ludovic Courtès]

Andreas Enge <andreas@enge.fr> skribis:

> On Wed, Aug 27, 2014 at 11:22:14AM +0200, Ludovic Courtès wrote:
>> So I’m inclined to just leave it on core-updates for now.  WDYT?
>
> As the fix entails essentially a complete rebuild of our packages, how about
> merging core-updates back into master now?

I’m not sure what the status of core-updates is.  There are potentially
disruptive changes in there, which is why I’d be a bit wary.  Mark?

Ludo’.

Re: [PATCH] gnu: glibc: Fix CVE-2014-5519

[mhw]

ludo@gnu.org (Ludovic Courtès) writes:

> Andreas Enge <andreas@enge.fr> skribis:
>
>> On Wed, Aug 27, 2014 at 11:22:14AM +0200, Ludovic Courtès wrote:
>>> So I’m inclined to just leave it on core-updates for now.  WDYT?
>>
>> As the fix entails essentially a complete rebuild of our packages, how about
>> merging core-updates back into master now?
>
> I’m not sure what the status of core-updates is.  There are potentially
> disruptive changes in there, which is why I’d be a bit wary.  Mark?

I've been building core-updates on i686, and it seems fine.  While the
changes force a full rebuild, they do not seem likely to cause many
problems.

I think we should ask hydra to build all of core-updates and then merge
core-updates into master.

What do others think?

      Mark

Re: [PATCH] gnu: glibc: Fix CVE-2014-5519

[Ludovic Courtès]

mhw@netris.org skribis:

> I think we should ask hydra to build all of core-updates and then merge
> core-updates into master.

Yes, please.

Please monitor for ENOSPC conditions on hydra.gnu.org, and stop
hydra-queue-runner if that happens (that should really be checked by a
cron job), just the time to hopefully free some space.

Thanks,
Ludo’.

core-updates merged

[Ludovic Courtès]

[-- Attachment #1: Type: text/plain, Size: 443 bytes --]

The ‘core-updates’ branch has finally been merged.

It upgrades libc to 2.20, which fixes two security issues found in 2.19,
and fixes a bug in GCC 4.8.3.

Now that hydra.gnu.org is in better shape, I hope it will be easier to
deploy such fixes in the future.  However, we must also be diligent in
not triggering full rebuilds for unrelated issues when the deployment of
security fixes is at stake.  (I plead guilty.)

Ludo’.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]