From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:403:478a::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id OP/YEv2QIGWKfAEAG6o9tA:P1 (envelope-from ) for ; Sat, 07 Oct 2023 00:58:05 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:478a::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id OP/YEv2QIGWKfAEAG6o9tA (envelope-from ) for ; Sat, 07 Oct 2023 00:58:05 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id D8DB544DF2 for ; Sat, 7 Oct 2023 00:58:04 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=OtFR03W7; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1696633085; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=JYoI3x99TrWLRxlqLVN7gz2YldMMJTCaHZ71vYPoSXw=; b=RAZnm27wqr71/8lFo4ym6TK56UPa9KbCi8LvGMeaQyYXxJpFFcg6xz6JHvrvgUNyJwsdo5 a+4zXRAgGFz7Pdkqog4GVqXpQtTJ/PZ7es+y47H7KgxSXK/7iM7ARLJ+5yoE42ULZKpxRC /U7Ei4PT9KtrVQ9IxIktUlcQTPX2HDryMQON51XgOF5kKT0otza3Buk5rwMMUyfEBptYJ6 2PXf0Oe1sxSEUIMAcYW/Tc71hiaPnptx/ceELyXVkKK/hIQ9L49maY1JxTR7i09BRgX3WK MWoxby8pM9+J+BHUG0EafSNOp54piQXikb9SgLO0B1pQjsKuBKUwRK2rRu8+kg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1696633085; a=rsa-sha256; cv=none; b=kYYwKjw6noQ9xkDSMPrGlU1s4u9cuhB+c6+wts6mjcSm0umUMh6c+TVGR0eEPURk+iR8UW 4BkrHIRDuX9qGCoXqtXP1j1LltCjKl0beL4PNYSZu0qBAtbVz4nk+Q3Wbc94hPdz1sjnpk Dfv2wTERQGi3fsOjDL5hbSdUYSqvZP8BCsG2EIlUdtuqTmAFwaewi3nB9XKCeuyZpfQZEp d6fdCI79xnF85qmerLlnBRoqUVpxVh5bshvr9qsW3OLYEAMsTmsg38God6r+DBJ1GgNe4Q Yzvq2sf5zlpf04HJdcuRjjRFy1BKnTqwcT2iCAw06PxolmHopQ97RlXhucRXPw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=OtFR03W7; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qotlR-0005tF-8K; Fri, 06 Oct 2023 18:57:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qotlP-0005t0-EM for guix-patches@gnu.org; Fri, 06 Oct 2023 18:57:43 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qotlP-0000p6-6H for guix-patches@gnu.org; Fri, 06 Oct 2023 18:57:43 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qotlh-0005yB-UT for guix-patches@gnu.org; Fri, 06 Oct 2023 18:58:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#66348] [PATCH RFC] gnu: glibc: Fix CVE-2023-4911. Resent-From: Liliana Marie Prikler Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 06 Oct 2023 22:58:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 66348 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 66348@debbugs.gnu.org Received: via spool by 66348-submit@debbugs.gnu.org id=B66348.169663303322883 (code B ref 66348); Fri, 06 Oct 2023 22:58:01 +0000 Received: (at 66348) by debbugs.gnu.org; 6 Oct 2023 22:57:13 +0000 Received: from localhost ([127.0.0.1]:52855 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qotku-0005x1-OJ for submit@debbugs.gnu.org; Fri, 06 Oct 2023 18:57:13 -0400 Received: from mail-ej1-x644.google.com ([2a00:1450:4864:20::644]:49625) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qotkt-0005wn-5n for 66348@debbugs.gnu.org; Fri, 06 Oct 2023 18:57:12 -0400 Received: by mail-ej1-x644.google.com with SMTP id a640c23a62f3a-9b2cee55056so493797066b.3 for <66348@debbugs.gnu.org>; Fri, 06 Oct 2023 15:56:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696633006; x=1697237806; darn=debbugs.gnu.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject :date:message-id:reply-to; bh=JYoI3x99TrWLRxlqLVN7gz2YldMMJTCaHZ71vYPoSXw=; b=OtFR03W7ZRB6Ld3CVMuKXUOcgAfCY3/Y48cBiW+l1zGH4jT8B59q8CpQzCIjGFK/LR wHkbbgz72LgQGM7d54A4adWIWXX3CuAMH0CnF0cKiqp579WOQPXoUjKCYM7S3ic/SKBO CMaZe8rw0rg6zfRXSLJCwr5jdXrU+koaQXkyO06tOZpFh2KJeavUceQ3xsW153V76ByN 0QAOEHSXls/8jYLqIcvH3lfcIW2bJU5Q8/iUKdIumlnwSxblCRksmd4o/t8sKlcUsYky 20B7VWzPeq0SvOehPOMhMdZy8Nz9aHlJBjNDWQRIRlrnZd9AxekuqRzubbYyKs9SwjEa BYqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696633006; x=1697237806; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=JYoI3x99TrWLRxlqLVN7gz2YldMMJTCaHZ71vYPoSXw=; b=PKw7NAl6zMpYz1+eDMoqcVC6LnWIhVYdxR0MOmyFFpr3AbLkL/vtz5TaiaXCemUB9T e4uoec6d3oTKaTUBoH0jm36uikouYD7Gc4aq3K0pYybIJ/22jJIPdcZ/BG/OxkU8z+Cn bEzITCJF/tYuwtA7v+TfR7djy+nXet3SHgFN9bwJkBxRJ7yMv2cw4FvGrK0c3/tIMJKB F6Ia0DdBaQpTI58q4V3tdx61Jg8Yai7yfSZHNYQ2Hp/waF15AGiS4LVYulNe81CVLgz8 gVpiQbYMZg1gJWAo1Lxw9wGTDDoXb4pBaMXaX7sFdnpPh2m+THS7xagLAzxTXZVLhMIM IBfw== X-Gm-Message-State: AOJu0YyGsdnqEYIZOAizo0d54SxWTWkoZzcaYhb0p6IgMBEizAWsfX6W 7Xk9JHfrvWvMBipgdeXWEAg= X-Google-Smtp-Source: AGHT+IHhnJ6sifTN1anW9dJFSGo7aBwI8ZBRCZXMcJnOnt7bvZ3CzShm8PoYCb8BTLJTNp40xDI+XA== X-Received: by 2002:a17:906:32d5:b0:9ae:6388:e09b with SMTP id k21-20020a17090632d500b009ae6388e09bmr8907364ejk.40.1696633006103; Fri, 06 Oct 2023 15:56:46 -0700 (PDT) Received: from lumine.fritz.box (85-127-52-93.dsl.dynamic.surfer.at. [85.127.52.93]) by smtp.gmail.com with ESMTPSA id p8-20020a170906b20800b009a1b857e3a5sm3494282ejz.54.2023.10.06.15.56.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Oct 2023 15:56:45 -0700 (PDT) Message-ID: <604d2287350e122980db76d624af03422a0b4ec6.camel@gmail.com> From: Liliana Marie Prikler Date: Sat, 07 Oct 2023 00:56:43 +0200 In-Reply-To: <87ttr3xucv.fsf@gnu.org> References: <87ttr3xucv.fsf@gnu.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Scanner: mx0.migadu.com X-Migadu-Spam-Score: -5.12 X-Spam-Score: -5.12 X-Migadu-Queue-Id: D8DB544DF2 X-TUID: zBSTLgVBBiXd Am Samstag, dem 07.10.2023 um 00:24 +0200 schrieb Ludovic Court=C3=A8s: > Hi Liliana, >=20 > Liliana Marie Prikler skribis: >=20 > > * gnu/packages/patches/glibc-2.35-CVE-2023-4911.patch: New file. > > * gnu/local.mk: Register it here. > > * gnu/packages/base.scm (glibc/fixed): New variable. > > (glibc): Use it as replacement. >=20 > I=E2=80=99ve tested it and it LGTM. >=20 > I found a bug where the grafted libreoffice ends up indirectly > referring to the broken libc in addition to the fixed one: >=20 > --8<---------------cut here---------------start------------->8--- > $ ./pre-inst-env guix build libreoffice > /gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice-7.5.4.2 > $ guix gc -R /gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice- > 7.5.4.2|grep glibc-2.35 > /gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35 > /gnu/store/ln6hxqjvz6m9gdd9s97pivlqck7hzs99-glibc-2.35 > $ ./pre-inst-env guix build libreoffice --no-grafts > /gnu/store/f5iibn55pm70icnk16hd4a8hwchicrvf-libreoffice-7.5.4.2 > $ guix gc -R /gnu/store/f5iibn55pm70icnk16hd4a8hwchicrvf-libreoffice- > 7.5.4.2|grep glibc-2.35 > /gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35 > $ guix graph -t references --path > /gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice-7.5.4.2 > /gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35 > /gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice-7.5.4.2 > /gnu/store/y392yldk4pbk4z5q587bz5n61hzbcf4g-mariadb-10.10.2-dev > /gnu/store/cilkyfnc5fxmpviyypci3d2881ik3nih-mariadb-10.10.2-lib > /gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35 > --8<---------------cut here---------------end--------------->8--- >=20 > Not a showstopper but we=E2=80=99ll need to investigate. Eww. > Another concern: we=E2=80=99ll be grafting every single package.=C2=A0 It= hurts > performance so we may want to =E2=80=9Cungraft=E2=80=9D in core-updates a= nd get it > merged soon. >=20 > Thoughts? Is core-updates ready otherwise? If not, we might want to do a quick "ungrafting" branch before that. Cheers