Marius Bakke <mbakke@fastmail.com> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> On Wed, Nov 22, 2017 at 10:28:49PM +0100, Marius Bakke wrote:
>>> Hello!
>>> 
>>> I discovered that 'icu4c' failed to build for x86_64 on 'core-updates'.
>>> After some investigation, it turns out to be a problem with <math.h> in
>>> C++ mode, due to its usage of C-only builtins (in the 2.26 release).
>>> 
>>> Here are the relevant bug reports I've found so far by digging through
>>> the "release/2.26/master" branch, aka "2.26 stable"[0]:
>>> 
>>> <https://sourceware.org/bugzilla/show_bug.cgi?id=21930>
>>> <https://sourceware.org/bugzilla/show_bug.cgi?id=22235>
>>> <https://sourceware.org/bugzilla/show_bug.cgi?id=22146>
>>> <https://sourceware.org/bugzilla/show_bug.cgi?id=22296>
>>> 
>>> The attached patch includes the fixes from those bugs, as well as a
>>> couple of others that looked important.  However it's still a very small
>>> subset of the 2.26 post-release fixes.
>>> 
>>> I've read through _most_ of the commits and around half of them look
>>> important enough to pick "unconditionally".  The other half I mainly
>>> lack the context or skills to assess.
>>> 
>>> So I wonder if we should simply pick everything from this branch,
>>> instead of only the few that fixes immediately visible problems.
>>> Thoughts?
>>
>> Based on this discussion [0], I think we should take the whole branch.
>> It sounds like commits on the release branches are considered important
>> bug fixes and "stable".
>
> I agree.
>
>> There was talk of a mid-October 2.26.1 release, but that didn't happen,
>> as we know.
>>
>> Are you able to prepare a patch, Marius? If not, I can do it later
>> tonight.
>
> I ran this command from a glibc git checkout:
>
>   $ git format-patch -p --minimal --no-signature -o ~/guix/gnu/packages/patches/ \
>     glibc-2.26..origin/release/2.26/master
>
> Afterwards, in ~/guix/gnu/packages/patches:
>
>   $ rename 's/^(\d{4})-.*\.patch/glibc-2-26-$1.patch/' 00*.patch

There was a major bug in the regexp here: ^

The patch below fixes that, and add CVE identifiers to the patch names.

I realized the glibc graft on master has been classified as low severity
in Debian and not added to the stable releases.  I wish to revert it, or
at the very least remove the graft.  Thoughts?

https://security-tracker.debian.org/tracker/CVE-2017-15670
https://security-tracker.debian.org/tracker/CVE-2017-15671

It also incorrectly mentions that CVE-2017-15671 is fixed, when in fact
that was a different bug entirely.  I have an ugly patch to fix that,
but I'm not sure if it's even worth the hassle.

I will also refrain from doing important work late at night :-(