unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* [PATCH] gnu: glibc: Fix CVE-2014-5519
@ 2014-08-26 19:16 mhw
  2014-08-26 20:07 ` [PATCH] gnu: glibc: Fix CVE-2014-5119 mhw
  2014-08-27  9:22 ` [PATCH] gnu: glibc: Fix CVE-2014-5519 Ludovic Courtès
  0 siblings, 2 replies; 8+ messages in thread
From: mhw @ 2014-08-26 19:16 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 372 bytes --]

I'll push this patch to core-updates as soon as I've tested it.

https://sourceware.org/bugzilla/show_bug.cgi?id=17187
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8
http://googleprojectzero.blogspot.co.nz/2014/08/the-poisoned-nul-byte-2014-edition.html

I'm not sure what we should do on 'master'.  Thoughts?

     Mark



[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: [PATCH] gnu: glibc: Fix CVE-2014-5519 --]
[-- Type: text/x-patch, Size: 8203 bytes --]

From 4b5770796955011e2a7b2166b38f8f6b3a6d6757 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Tue, 26 Aug 2014 14:44:14 -0400
Subject: [PATCH] gnu: glibc: Fix CVE-2014-5519.

* gnu/packages/patches/glibc-CVE-2014-5519.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/base.scm (glibc): Add the patch.
---
 gnu-system.am                                  |   1 +
 gnu/packages/base.scm                          |   3 +-
 gnu/packages/patches/glibc-CVE-2014-5519.patch | 211 +++++++++++++++++++++++++
 3 files changed, 214 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/glibc-CVE-2014-5519.patch

diff --git a/gnu-system.am b/gnu-system.am
index f24da85..a14781b 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -311,6 +311,7 @@ dist_patch_DATA =						\
   gnu/packages/patches/glib-tests-prlimit.patch			\
   gnu/packages/patches/glib-tests-timer.patch			\
   gnu/packages/patches/glibc-bootstrap-system.patch		\
+  gnu/packages/patches/glibc-CVE-2014-5519.patch		\
   gnu/packages/patches/glibc-ldd-x86_64.patch			\
   gnu/packages/patches/gnunet-fix-scheduler.patch		\
   gnu/packages/patches/gnunet-fix-tests.patch    		\
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 30176cf..8c4f0eb 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -384,7 +384,8 @@ library for working with executable and object formats is also included.")
                 (("use_ldconfig=yes")
                  "use_ldconfig=no")))
             (modules '((guix build utils)))
-            (patches (list (search-patch "glibc-ldd-x86_64.patch")))))
+            (patches (list (search-patch "glibc-CVE-2014-5519.patch")
+                           (search-patch "glibc-ldd-x86_64.patch")))))
    (build-system gnu-build-system)
 
    ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
diff --git a/gnu/packages/patches/glibc-CVE-2014-5519.patch b/gnu/packages/patches/glibc-CVE-2014-5519.patch
new file mode 100644
index 0000000..fc9acd4
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2014-5519.patch
@@ -0,0 +1,211 @@
+Remove support for loadable gconv transliteration modules.
+The support for transliteration modules has been non-functional for
+over a decade, and the removal is prompted by security defects.  The
+normal gconv conversion modules are still supported.  Transliteration
+with //TRANSLIT is still possible, and the //IGNORE specifier
+continues to be  supported. (CVE-2014-5519)
+
+Based on upstream commit a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8 by
+Florian Weimer <fweimer@redhat.com>.
+
+--- glibc-2.19/ChangeLog.orig	2014-02-07 04:04:38.000000000 -0500
++++ glibc-2.19/ChangeLog	2014-08-26 14:35:12.368861387 -0400
+@@ -1,3 +1,10 @@
++2014-08-26  Florian Weimer  <fweimer@redhat.com>
++
++	[BZ #17187]
++	* iconv/gconv_trans.c (struct known_trans, search_tree, lock,
++	trans_compare, open_translit, __gconv_translit_find):
++	Remove module loading code.
++
+ 2014-02-06  Carlos O'Donell  <carlos@redhat.com>
+ 
+ 	[BZ #16529]
+--- glibc-2.19/iconv/gconv_trans.c.orig	2014-02-07 04:04:38.000000000 -0500
++++ glibc-2.19/iconv/gconv_trans.c	2014-08-26 14:37:26.269525364 -0400
+@@ -238,181 +238,12 @@
+   return __GCONV_ILLEGAL_INPUT;
+ }
+ 
+-
+-/* Structure to represent results of found (or not) transliteration
+-   modules.  */
+-struct known_trans
+-{
+-  /* This structure must remain the first member.  */
+-  struct trans_struct info;
+-
+-  char *fname;
+-  void *handle;
+-  int open_count;
+-};
+-
+-
+-/* Tree with results of previous calls to __gconv_translit_find.  */
+-static void *search_tree;
+-
+-/* We modify global data.   */
+-__libc_lock_define_initialized (static, lock);
+-
+-
+-/* Compare two transliteration entries.  */
+-static int
+-trans_compare (const void *p1, const void *p2)
+-{
+-  const struct known_trans *s1 = (const struct known_trans *) p1;
+-  const struct known_trans *s2 = (const struct known_trans *) p2;
+-
+-  return strcmp (s1->info.name, s2->info.name);
+-}
+-
+-
+-/* Open (maybe reopen) the module named in the struct.  Get the function
+-   and data structure pointers we need.  */
+-static int
+-open_translit (struct known_trans *trans)
+-{
+-  __gconv_trans_query_fct queryfct;
+-
+-  trans->handle = __libc_dlopen (trans->fname);
+-  if (trans->handle == NULL)
+-    /* Not available.  */
+-    return 1;
+-
+-  /* Find the required symbol.  */
+-  queryfct = __libc_dlsym (trans->handle, "gconv_trans_context");
+-  if (queryfct == NULL)
+-    {
+-      /* We cannot live with that.  */
+-    close_and_out:
+-      __libc_dlclose (trans->handle);
+-      trans->handle = NULL;
+-      return 1;
+-    }
+-
+-  /* Get the context.  */
+-  if (queryfct (trans->info.name, &trans->info.csnames, &trans->info.ncsnames)
+-      != 0)
+-    goto close_and_out;
+-
+-  /* Of course we also have to have the actual function.  */
+-  trans->info.trans_fct = __libc_dlsym (trans->handle, "gconv_trans");
+-  if (trans->info.trans_fct == NULL)
+-    goto close_and_out;
+-
+-  /* Now the optional functions.  */
+-  trans->info.trans_init_fct =
+-    __libc_dlsym (trans->handle, "gconv_trans_init");
+-  trans->info.trans_context_fct =
+-    __libc_dlsym (trans->handle, "gconv_trans_context");
+-  trans->info.trans_end_fct =
+-    __libc_dlsym (trans->handle, "gconv_trans_end");
+-
+-  trans->open_count = 1;
+-
+-  return 0;
+-}
+-
+-
+ int
+ internal_function
+ __gconv_translit_find (struct trans_struct *trans)
+ {
+-  struct known_trans **found;
+-  const struct path_elem *runp;
+-  int res = 1;
+-
+-  /* We have to have a name.  */
+-  assert (trans->name != NULL);
+-
+-  /* Acquire the lock.  */
+-  __libc_lock_lock (lock);
+-
+-  /* See whether we know this module already.  */
+-  found = __tfind (trans, &search_tree, trans_compare);
+-  if (found != NULL)
+-    {
+-      /* Is this module available?  */
+-      if ((*found)->handle != NULL)
+-	{
+-	  /* Maybe we have to reopen the file.  */
+-	  if ((*found)->handle != (void *) -1)
+-	    /* The object is not unloaded.  */
+-	    res = 0;
+-	  else if (open_translit (*found) == 0)
+-	    {
+-	      /* Copy the data.  */
+-	      *trans = (*found)->info;
+-	      (*found)->open_count++;
+-	      res = 0;
+-	    }
+-	}
+-    }
+-  else
+-    {
+-      size_t name_len = strlen (trans->name) + 1;
+-      int need_so = 0;
+-      struct known_trans *newp;
+-
+-      /* We have to continue looking for the module.  */
+-      if (__gconv_path_elem == NULL)
+-	__gconv_get_path ();
+-
+-      /* See whether we have to append .so.  */
+-      if (name_len <= 4 || memcmp (&trans->name[name_len - 4], ".so", 3) != 0)
+-	need_so = 1;
+-
+-      /* Create a new entry.  */
+-      newp = (struct known_trans *) malloc (sizeof (struct known_trans)
+-					    + (__gconv_max_path_elem_len
+-					       + name_len + 3)
+-					    + name_len);
+-      if (newp != NULL)
+-	{
+-	  char *cp;
+-
+-	  /* Clear the struct.  */
+-	  memset (newp, '\0', sizeof (struct known_trans));
+-
+-	  /* Store a copy of the module name.  */
+-	  newp->info.name = cp = (char *) (newp + 1);
+-	  cp = __mempcpy (cp, trans->name, name_len);
+-
+-	  newp->fname = cp;
+-
+-	  /* Search in all the directories.  */
+-	  for (runp = __gconv_path_elem; runp->name != NULL; ++runp)
+-	    {
+-	      cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name),
+-			      trans->name, name_len);
+-	      if (need_so)
+-		memcpy (cp, ".so", sizeof (".so"));
+-
+-	      if (open_translit (newp) == 0)
+-		{
+-		  /* We found a module.  */
+-		  res = 0;
+-		  break;
+-		}
+-	    }
+-
+-	  if (res)
+-	    newp->fname = NULL;
+-
+-	  /* In any case we'll add the entry to our search tree.  */
+-	  if (__tsearch (newp, &search_tree, trans_compare) == NULL)
+-	    {
+-	      /* Yickes, this should not happen.  Unload the object.  */
+-	      res = 1;
+-	      /* XXX unload here.  */
+-	    }
+-	}
+-    }
+-
+-  __libc_lock_unlock (lock);
+-
+-  return res;
++  /* Transliteration module loading has been removed because it never
++     worked as intended and suffered from a security vulnerability.
++     Consequently, this function always fails.  */
++  return 1;
+ }
-- 
1.8.4


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [PATCH] gnu: glibc: Fix CVE-2014-5119
  2014-08-26 19:16 [PATCH] gnu: glibc: Fix CVE-2014-5519 mhw
@ 2014-08-26 20:07 ` mhw
  2014-08-27  9:22 ` [PATCH] gnu: glibc: Fix CVE-2014-5519 Ludovic Courtès
  1 sibling, 0 replies; 8+ messages in thread
From: mhw @ 2014-08-26 20:07 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 599 bytes --]

mhw@netris.org writes:

> I'll push this patch to core-updates as soon as I've tested it.
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=17187
> https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8
> http://googleprojectzero.blogspot.co.nz/2014/08/the-poisoned-nul-byte-2014-edition.html
>
> I'm not sure what we should do on 'master'.  Thoughts?

Unfortunately, the upstream commit had a typo in the CVE number.

  https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=f9df71e895d3552d557e783fdb9d133328195645

Here's an updated patch.

      Mark


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: [PATCH] gnu: glibc: Fix CVE-2014-5119 --]
[-- Type: text/x-patch, Size: 8250 bytes --]

From f5beb0caf31f227dbe3dd909ec318e84247a504a Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Tue, 26 Aug 2014 14:44:14 -0400
Subject: [PATCH] gnu: glibc: Fix CVE-2014-5119.

* gnu/packages/patches/glibc-CVE-2014-5119.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/base.scm (glibc): Add the patch.
---
 gnu-system.am                                  |   1 +
 gnu/packages/base.scm                          |   3 +-
 gnu/packages/patches/glibc-CVE-2014-5119.patch | 212 +++++++++++++++++++++++++
 3 files changed, 215 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/glibc-CVE-2014-5119.patch

diff --git a/gnu-system.am b/gnu-system.am
index f24da85..006fcab 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -311,6 +311,7 @@ dist_patch_DATA =						\
   gnu/packages/patches/glib-tests-prlimit.patch			\
   gnu/packages/patches/glib-tests-timer.patch			\
   gnu/packages/patches/glibc-bootstrap-system.patch		\
+  gnu/packages/patches/glibc-CVE-2014-5119.patch		\
   gnu/packages/patches/glibc-ldd-x86_64.patch			\
   gnu/packages/patches/gnunet-fix-scheduler.patch		\
   gnu/packages/patches/gnunet-fix-tests.patch    		\
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 30176cf..6f34017 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -384,7 +384,8 @@ library for working with executable and object formats is also included.")
                 (("use_ldconfig=yes")
                  "use_ldconfig=no")))
             (modules '((guix build utils)))
-            (patches (list (search-patch "glibc-ldd-x86_64.patch")))))
+            (patches (list (search-patch "glibc-CVE-2014-5119.patch")
+                           (search-patch "glibc-ldd-x86_64.patch")))))
    (build-system gnu-build-system)
 
    ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
diff --git a/gnu/packages/patches/glibc-CVE-2014-5119.patch b/gnu/packages/patches/glibc-CVE-2014-5119.patch
new file mode 100644
index 0000000..de063a2
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2014-5119.patch
@@ -0,0 +1,212 @@
+Remove support for loadable gconv transliteration modules.
+The support for transliteration modules has been non-functional for
+over a decade, and the removal is prompted by security defects.  The
+normal gconv conversion modules are still supported.  Transliteration
+with //TRANSLIT is still possible, and the //IGNORE specifier
+continues to be  supported. (CVE-2014-5119)
+
+Based on upstream commits a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8
+and f9df71e895d3552d557e783fdb9d133328195645
+by Florian Weimer <fweimer@redhat.com>.
+
+--- glibc-2.19/ChangeLog.orig	2014-02-07 04:04:38.000000000 -0500
++++ glibc-2.19/ChangeLog	2014-08-26 14:35:12.368861387 -0400
+@@ -1,3 +1,10 @@
++2014-08-26  Florian Weimer  <fweimer@redhat.com>
++
++	[BZ #17187]
++	* iconv/gconv_trans.c (struct known_trans, search_tree, lock,
++	trans_compare, open_translit, __gconv_translit_find):
++	Remove module loading code.
++
+ 2014-02-06  Carlos O'Donell  <carlos@redhat.com>
+ 
+ 	[BZ #16529]
+--- glibc-2.19/iconv/gconv_trans.c.orig	2014-02-07 04:04:38.000000000 -0500
++++ glibc-2.19/iconv/gconv_trans.c	2014-08-26 14:37:26.269525364 -0400
+@@ -238,181 +238,12 @@
+   return __GCONV_ILLEGAL_INPUT;
+ }
+ 
+-
+-/* Structure to represent results of found (or not) transliteration
+-   modules.  */
+-struct known_trans
+-{
+-  /* This structure must remain the first member.  */
+-  struct trans_struct info;
+-
+-  char *fname;
+-  void *handle;
+-  int open_count;
+-};
+-
+-
+-/* Tree with results of previous calls to __gconv_translit_find.  */
+-static void *search_tree;
+-
+-/* We modify global data.   */
+-__libc_lock_define_initialized (static, lock);
+-
+-
+-/* Compare two transliteration entries.  */
+-static int
+-trans_compare (const void *p1, const void *p2)
+-{
+-  const struct known_trans *s1 = (const struct known_trans *) p1;
+-  const struct known_trans *s2 = (const struct known_trans *) p2;
+-
+-  return strcmp (s1->info.name, s2->info.name);
+-}
+-
+-
+-/* Open (maybe reopen) the module named in the struct.  Get the function
+-   and data structure pointers we need.  */
+-static int
+-open_translit (struct known_trans *trans)
+-{
+-  __gconv_trans_query_fct queryfct;
+-
+-  trans->handle = __libc_dlopen (trans->fname);
+-  if (trans->handle == NULL)
+-    /* Not available.  */
+-    return 1;
+-
+-  /* Find the required symbol.  */
+-  queryfct = __libc_dlsym (trans->handle, "gconv_trans_context");
+-  if (queryfct == NULL)
+-    {
+-      /* We cannot live with that.  */
+-    close_and_out:
+-      __libc_dlclose (trans->handle);
+-      trans->handle = NULL;
+-      return 1;
+-    }
+-
+-  /* Get the context.  */
+-  if (queryfct (trans->info.name, &trans->info.csnames, &trans->info.ncsnames)
+-      != 0)
+-    goto close_and_out;
+-
+-  /* Of course we also have to have the actual function.  */
+-  trans->info.trans_fct = __libc_dlsym (trans->handle, "gconv_trans");
+-  if (trans->info.trans_fct == NULL)
+-    goto close_and_out;
+-
+-  /* Now the optional functions.  */
+-  trans->info.trans_init_fct =
+-    __libc_dlsym (trans->handle, "gconv_trans_init");
+-  trans->info.trans_context_fct =
+-    __libc_dlsym (trans->handle, "gconv_trans_context");
+-  trans->info.trans_end_fct =
+-    __libc_dlsym (trans->handle, "gconv_trans_end");
+-
+-  trans->open_count = 1;
+-
+-  return 0;
+-}
+-
+-
+ int
+ internal_function
+ __gconv_translit_find (struct trans_struct *trans)
+ {
+-  struct known_trans **found;
+-  const struct path_elem *runp;
+-  int res = 1;
+-
+-  /* We have to have a name.  */
+-  assert (trans->name != NULL);
+-
+-  /* Acquire the lock.  */
+-  __libc_lock_lock (lock);
+-
+-  /* See whether we know this module already.  */
+-  found = __tfind (trans, &search_tree, trans_compare);
+-  if (found != NULL)
+-    {
+-      /* Is this module available?  */
+-      if ((*found)->handle != NULL)
+-	{
+-	  /* Maybe we have to reopen the file.  */
+-	  if ((*found)->handle != (void *) -1)
+-	    /* The object is not unloaded.  */
+-	    res = 0;
+-	  else if (open_translit (*found) == 0)
+-	    {
+-	      /* Copy the data.  */
+-	      *trans = (*found)->info;
+-	      (*found)->open_count++;
+-	      res = 0;
+-	    }
+-	}
+-    }
+-  else
+-    {
+-      size_t name_len = strlen (trans->name) + 1;
+-      int need_so = 0;
+-      struct known_trans *newp;
+-
+-      /* We have to continue looking for the module.  */
+-      if (__gconv_path_elem == NULL)
+-	__gconv_get_path ();
+-
+-      /* See whether we have to append .so.  */
+-      if (name_len <= 4 || memcmp (&trans->name[name_len - 4], ".so", 3) != 0)
+-	need_so = 1;
+-
+-      /* Create a new entry.  */
+-      newp = (struct known_trans *) malloc (sizeof (struct known_trans)
+-					    + (__gconv_max_path_elem_len
+-					       + name_len + 3)
+-					    + name_len);
+-      if (newp != NULL)
+-	{
+-	  char *cp;
+-
+-	  /* Clear the struct.  */
+-	  memset (newp, '\0', sizeof (struct known_trans));
+-
+-	  /* Store a copy of the module name.  */
+-	  newp->info.name = cp = (char *) (newp + 1);
+-	  cp = __mempcpy (cp, trans->name, name_len);
+-
+-	  newp->fname = cp;
+-
+-	  /* Search in all the directories.  */
+-	  for (runp = __gconv_path_elem; runp->name != NULL; ++runp)
+-	    {
+-	      cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name),
+-			      trans->name, name_len);
+-	      if (need_so)
+-		memcpy (cp, ".so", sizeof (".so"));
+-
+-	      if (open_translit (newp) == 0)
+-		{
+-		  /* We found a module.  */
+-		  res = 0;
+-		  break;
+-		}
+-	    }
+-
+-	  if (res)
+-	    newp->fname = NULL;
+-
+-	  /* In any case we'll add the entry to our search tree.  */
+-	  if (__tsearch (newp, &search_tree, trans_compare) == NULL)
+-	    {
+-	      /* Yickes, this should not happen.  Unload the object.  */
+-	      res = 1;
+-	      /* XXX unload here.  */
+-	    }
+-	}
+-    }
+-
+-  __libc_lock_unlock (lock);
+-
+-  return res;
++  /* Transliteration module loading has been removed because it never
++     worked as intended and suffered from a security vulnerability.
++     Consequently, this function always fails.  */
++  return 1;
+ }
-- 
1.8.4


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH] gnu: glibc: Fix CVE-2014-5519
  2014-08-26 19:16 [PATCH] gnu: glibc: Fix CVE-2014-5519 mhw
  2014-08-26 20:07 ` [PATCH] gnu: glibc: Fix CVE-2014-5119 mhw
@ 2014-08-27  9:22 ` Ludovic Courtès
  2014-08-27  9:31   ` Andreas Enge
  1 sibling, 1 reply; 8+ messages in thread
From: Ludovic Courtès @ 2014-08-27  9:22 UTC (permalink / raw)
  To: mhw; +Cc: guix-devel

mhw@netris.org skribis:

> I'll push this patch to core-updates as soon as I've tested it.
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=17187
> https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8
> http://googleprojectzero.blogspot.co.nz/2014/08/the-poisoned-nul-byte-2014-edition.html
>
> I'm not sure what we should do on 'master'.  Thoughts?

Since it permits root privilege escalation, and there’s a documented
example on how to do it, the general rule IMO should be that we should
apply it.

However, Hydra is currently in a bad state, esp. disk-space-wise, so I’m
afraid this would prevent us from deploying the fix efficiently.  :-/

So I’m inclined to just leave it on core-updates for now.  WDYT?

That said, perhaps now is a good time to write down rules on how to
handle CVEs.  Would you like to have a stab at it?

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] gnu: glibc: Fix CVE-2014-5519
  2014-08-27  9:22 ` [PATCH] gnu: glibc: Fix CVE-2014-5519 Ludovic Courtès
@ 2014-08-27  9:31   ` Andreas Enge
  2014-08-27 12:21     ` Ludovic Courtès
  0 siblings, 1 reply; 8+ messages in thread
From: Andreas Enge @ 2014-08-27  9:31 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

On Wed, Aug 27, 2014 at 11:22:14AM +0200, Ludovic Courtès wrote:
> So I’m inclined to just leave it on core-updates for now.  WDYT?

As the fix entails essentially a complete rebuild of our packages, how about
merging core-updates back into master now?

Andreas

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] gnu: glibc: Fix CVE-2014-5519
  2014-08-27  9:31   ` Andreas Enge
@ 2014-08-27 12:21     ` Ludovic Courtès
  2014-08-28  5:34       ` mhw
  0 siblings, 1 reply; 8+ messages in thread
From: Ludovic Courtès @ 2014-08-27 12:21 UTC (permalink / raw)
  To: Andreas Enge; +Cc: guix-devel

Andreas Enge <andreas@enge.fr> skribis:

> On Wed, Aug 27, 2014 at 11:22:14AM +0200, Ludovic Courtès wrote:
>> So I’m inclined to just leave it on core-updates for now.  WDYT?
>
> As the fix entails essentially a complete rebuild of our packages, how about
> merging core-updates back into master now?

I’m not sure what the status of core-updates is.  There are potentially
disruptive changes in there, which is why I’d be a bit wary.  Mark?

Ludo’.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] gnu: glibc: Fix CVE-2014-5519
  2014-08-27 12:21     ` Ludovic Courtès
@ 2014-08-28  5:34       ` mhw
  2014-08-29 10:06         ` Ludovic Courtès
  0 siblings, 1 reply; 8+ messages in thread
From: mhw @ 2014-08-28  5:34 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

ludo@gnu.org (Ludovic Courtès) writes:

> Andreas Enge <andreas@enge.fr> skribis:
>
>> On Wed, Aug 27, 2014 at 11:22:14AM +0200, Ludovic Courtès wrote:
>>> So I’m inclined to just leave it on core-updates for now.  WDYT?
>>
>> As the fix entails essentially a complete rebuild of our packages, how about
>> merging core-updates back into master now?
>
> I’m not sure what the status of core-updates is.  There are potentially
> disruptive changes in there, which is why I’d be a bit wary.  Mark?

I've been building core-updates on i686, and it seems fine.  While the
changes force a full rebuild, they do not seem likely to cause many
problems.

I think we should ask hydra to build all of core-updates and then merge
core-updates into master.

What do others think?

      Mark

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] gnu: glibc: Fix CVE-2014-5519
  2014-08-28  5:34       ` mhw
@ 2014-08-29 10:06         ` Ludovic Courtès
  2014-09-22 21:18           ` core-updates merged Ludovic Courtès
  0 siblings, 1 reply; 8+ messages in thread
From: Ludovic Courtès @ 2014-08-29 10:06 UTC (permalink / raw)
  To: mhw; +Cc: guix-devel

mhw@netris.org skribis:

> I think we should ask hydra to build all of core-updates and then merge
> core-updates into master.

Yes, please.

Please monitor for ENOSPC conditions on hydra.gnu.org, and stop
hydra-queue-runner if that happens (that should really be checked by a
cron job), just the time to hopefully free some space.

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* core-updates merged
  2014-08-29 10:06         ` Ludovic Courtès
@ 2014-09-22 21:18           ` Ludovic Courtès
  0 siblings, 0 replies; 8+ messages in thread
From: Ludovic Courtès @ 2014-09-22 21:18 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 443 bytes --]

The ‘core-updates’ branch has finally been merged.

It upgrades libc to 2.20, which fixes two security issues found in 2.19,
and fixes a bug in GCC 4.8.3.

Now that hydra.gnu.org is in better shape, I hope it will be easier to
deploy such fixes in the future.  However, we must also be diligent in
not triggering full rebuilds for unrelated issues when the deployment of
security fixes is at stake.  (I plead guilty.)

Ludo’.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2014-09-22 21:18 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-08-26 19:16 [PATCH] gnu: glibc: Fix CVE-2014-5519 mhw
2014-08-26 20:07 ` [PATCH] gnu: glibc: Fix CVE-2014-5119 mhw
2014-08-27  9:22 ` [PATCH] gnu: glibc: Fix CVE-2014-5519 Ludovic Courtès
2014-08-27  9:31   ` Andreas Enge
2014-08-27 12:21     ` Ludovic Courtès
2014-08-28  5:34       ` mhw
2014-08-29 10:06         ` Ludovic Courtès
2014-09-22 21:18           ` core-updates merged Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).