* [bug#29490] [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671."
@ 2017-11-28 17:09 Marius Bakke
2017-12-05 11:08 ` Ludovic Courtès
0 siblings, 1 reply; 5+ messages in thread
From: Marius Bakke @ 2017-11-28 17:09 UTC (permalink / raw)
To: 29490
These issues has been classified as minor by Debian:
https://security-tracker.debian.org/tracker/CVE-2017-15670
https://security-tracker.debian.org/tracker/CVE-2017-15671
...and is not worth the cost of grafting and maintaining this patch.
This reverts commit 60e29339d8389e678bb9ca4bd3420ee9ee88bdf2.
---
gnu/local.mk | 1 -
gnu/packages/base.scm | 13 -----------
.../patches/glibc-CVE-2017-15670-15671.patch | 27 ----------------------
3 files changed, 41 deletions(-)
delete mode 100644 gnu/packages/patches/glibc-CVE-2017-15670-15671.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 0a46bfd3d..7b2fb7c7a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -682,7 +682,6 @@ dist_patch_DATA = \
%D%/packages/patches/glibc-CVE-2017-1000366-pt1.patch \
%D%/packages/patches/glibc-CVE-2017-1000366-pt2.patch \
%D%/packages/patches/glibc-CVE-2017-1000366-pt3.patch \
- %D%/packages/patches/glibc-CVE-2017-15670-15671.patch \
%D%/packages/patches/glibc-bootstrap-system.patch \
%D%/packages/patches/glibc-ldd-x86_64.patch \
%D%/packages/patches/glibc-locales.patch \
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 9cb628d8d..bc745351a 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -528,7 +528,6 @@ store.")
(package
(name "glibc")
(version "2.25")
- (replacement glibc/fixed)
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/glibc/glibc-"
@@ -787,15 +786,6 @@ GLIBC/HURD for a Hurd host"
(define-syntax glibc
(identifier-syntax (glibc-for-target)))
-(define glibc/fixed
- (package
- (inherit glibc)
- (source (origin
- (inherit (package-source glibc))
- (patches (append
- (origin-patches (package-source glibc))
- (search-patches "glibc-CVE-2017-15670-15671.patch")))))))
-
;; Below are old libc versions, which we use mostly to build locale data in
;; the old format (which the new libc cannot cope with.)
@@ -815,7 +805,6 @@ GLIBC/HURD for a Hurd host"
"glibc-o-largefile.patch"
"glibc-vectorized-strcspn-guards.patch"
"glibc-CVE-2015-5180.patch"
- "glibc-CVE-2017-15670-15671.patch"
"glibc-CVE-2017-1000366-pt1.patch"
"glibc-CVE-2017-1000366-pt2.patch"
"glibc-CVE-2017-1000366-pt3.patch"))))))
@@ -839,7 +828,6 @@ GLIBC/HURD for a Hurd host"
"glibc-CVE-2016-3075.patch"
"glibc-CVE-2016-3706.patch"
"glibc-CVE-2016-4429.patch"
- "glibc-CVE-2017-15670-15671.patch"
"glibc-CVE-2017-1000366-pt1.patch"
"glibc-CVE-2017-1000366-pt2.patch"
"glibc-CVE-2017-1000366-pt3.patch"))))))
@@ -862,7 +850,6 @@ GLIBC/HURD for a Hurd host"
"glibc-CVE-2016-3075.patch"
"glibc-CVE-2016-3706.patch"
"glibc-CVE-2016-4429.patch"
- "glibc-CVE-2017-15670-15671.patch"
"glibc-CVE-2017-1000366-pt1.patch"
"glibc-CVE-2017-1000366-pt2.patch"
"glibc-CVE-2017-1000366-pt3.patch"))))
diff --git a/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch b/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch
deleted file mode 100644
index 76d688c51..000000000
--- a/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Fix CVE-2017-15670:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670
-https://sourceware.org/bugzilla/show_bug.cgi?id=22320
-https://bugzilla.redhat.com/show_bug.cgi?id=1504804
-
-And CVE-2017-15671:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671
-https://sourceware.org/bugzilla/show_bug.cgi?id=22325
-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15671
-
-Copied from upstream:
-<https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=2d1bd71ec70a31b01d01b734faa66bb1ed28961f>
-
-diff --git a/posix/glob.c b/posix/glob.c
---- a/posix/glob.c
-+++ b/posix/glob.c
-@@ -843,7 +843,7 @@
- *p = '\0';
- }
- else
-- *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
-+ *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
- = '\0';
- user_name = newp;
- }
--
2.15.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [bug#29490] [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671."
2017-11-28 17:09 [bug#29490] [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671." Marius Bakke
@ 2017-12-05 11:08 ` Ludovic Courtès
2017-12-05 23:03 ` Marius Bakke
0 siblings, 1 reply; 5+ messages in thread
From: Ludovic Courtès @ 2017-12-05 11:08 UTC (permalink / raw)
To: Marius Bakke; +Cc: 29490
Hello,
Marius Bakke <mbakke@fastmail.com> skribis:
> These issues has been classified as minor by Debian:
>
> https://security-tracker.debian.org/tracker/CVE-2017-15670
> https://security-tracker.debian.org/tracker/CVE-2017-15671
>
> ...and is not worth the cost of grafting and maintaining this patch.
I don’t see Debian’s classification as “minor”, but I see NVD severity
“high” and “medium” (I personally fail to imagine concrete remote
exploitation scenarios, but I largely lack the mental muscles for this.)
Ludo’.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#29490] [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671."
2017-12-05 11:08 ` Ludovic Courtès
@ 2017-12-05 23:03 ` Marius Bakke
2018-01-02 16:06 ` bug#29490: " Marius Bakke
0 siblings, 1 reply; 5+ messages in thread
From: Marius Bakke @ 2017-12-05 23:03 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 29490
[-- Attachment #1: Type: text/plain, Size: 1016 bytes --]
Ludovic Courtès <ludo@gnu.org> writes:
> Hello,
>
> Marius Bakke <mbakke@fastmail.com> skribis:
>
>> These issues has been classified as minor by Debian:
>>
>> https://security-tracker.debian.org/tracker/CVE-2017-15670
>> https://security-tracker.debian.org/tracker/CVE-2017-15671
>>
>> ...and is not worth the cost of grafting and maintaining this patch.
>
> I don’t see Debian’s classification as “minor”, but I see NVD severity
> “high” and “medium” (I personally fail to imagine concrete remote
> exploitation scenarios, but I largely lack the mental muscles for this.)
At the bottom of the page is the status for the stable releases, which
didn't get a DSA due to being a minor issue.
The recent update of glibc on core-updates included a fix for a similar
problem:
https://security-tracker.debian.org/tracker/CVE-2017-15671
I suppose we can graft that too, but would prefer to just drop them. We
get the fixes when we merge core-updates in a few weeks anyway.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#29490: [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671."
2017-12-05 23:03 ` Marius Bakke
@ 2018-01-02 16:06 ` Marius Bakke
2018-01-02 22:27 ` [bug#29490] " Ludovic Courtès
0 siblings, 1 reply; 5+ messages in thread
From: Marius Bakke @ 2018-01-02 16:06 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 29490-done
[-- Attachment #1: Type: text/plain, Size: 1341 bytes --]
Marius Bakke <mbakke@fastmail.com> writes:
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Hello,
>>
>> Marius Bakke <mbakke@fastmail.com> skribis:
>>
>>> These issues has been classified as minor by Debian:
>>>
>>> https://security-tracker.debian.org/tracker/CVE-2017-15670
>>> https://security-tracker.debian.org/tracker/CVE-2017-15671
>>>
>>> ...and is not worth the cost of grafting and maintaining this patch.
>>
>> I don’t see Debian’s classification as “minor”, but I see NVD severity
>> “high” and “medium” (I personally fail to imagine concrete remote
>> exploitation scenarios, but I largely lack the mental muscles for this.)
>
> At the bottom of the page is the status for the stable releases, which
> didn't get a DSA due to being a minor issue.
>
> The recent update of glibc on core-updates included a fix for a similar
> problem:
>
> https://security-tracker.debian.org/tracker/CVE-2017-15671
>
> I suppose we can graft that too, but would prefer to just drop them. We
> get the fixes when we merge core-updates in a few weeks anyway.
I pushed this to core-updates, since I'd rather not re-graft everything
on 'master'. The 2.26 package on core-updates have these fixes anyway.
This particular patch author will do a lot more research on future glibc
security issues...
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#29490] [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671."
2018-01-02 16:06 ` bug#29490: " Marius Bakke
@ 2018-01-02 22:27 ` Ludovic Courtès
0 siblings, 0 replies; 5+ messages in thread
From: Ludovic Courtès @ 2018-01-02 22:27 UTC (permalink / raw)
To: Marius Bakke; +Cc: 29490-done
Heya,
Marius Bakke <mbakke@fastmail.com> skribis:
> Marius Bakke <mbakke@fastmail.com> writes:
>
>> Ludovic Courtès <ludo@gnu.org> writes:
>>
>>> Hello,
>>>
>>> Marius Bakke <mbakke@fastmail.com> skribis:
>>>
>>>> These issues has been classified as minor by Debian:
>>>>
>>>> https://security-tracker.debian.org/tracker/CVE-2017-15670
>>>> https://security-tracker.debian.org/tracker/CVE-2017-15671
>>>>
>>>> ...and is not worth the cost of grafting and maintaining this patch.
>>>
>>> I don’t see Debian’s classification as “minor”, but I see NVD severity
>>> “high” and “medium” (I personally fail to imagine concrete remote
>>> exploitation scenarios, but I largely lack the mental muscles for this.)
>>
>> At the bottom of the page is the status for the stable releases, which
>> didn't get a DSA due to being a minor issue.
>>
>> The recent update of glibc on core-updates included a fix for a similar
>> problem:
>>
>> https://security-tracker.debian.org/tracker/CVE-2017-15671
>>
>> I suppose we can graft that too, but would prefer to just drop them. We
>> get the fixes when we merge core-updates in a few weeks anyway.
>
> I pushed this to core-updates, since I'd rather not re-graft everything
> on 'master'. The 2.26 package on core-updates have these fixes anyway.
Great, thanks for keeping track of it.
> This particular patch author will do a lot more research on future glibc
> security issues...
Heheh. :-)
Ludo’.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-01-02 22:28 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-28 17:09 [bug#29490] [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671." Marius Bakke
2017-12-05 11:08 ` Ludovic Courtès
2017-12-05 23:03 ` Marius Bakke
2018-01-02 16:06 ` bug#29490: " Marius Bakke
2018-01-02 22:27 ` [bug#29490] " Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).