From: "Ludovic Courtès" <ludo@gnu.org>
To: Maxime Devos <maximedevos@telenet.be>
Cc: 50698@debbugs.gnu.org
Subject: [bug#50698] [PATCH] WIP patches for recently-known hurd security vulnerabilities
Date: Mon, 04 Oct 2021 15:52:27 +0200 [thread overview]
Message-ID: <87pmskq4mc.fsf@gnu.org> (raw)
In-Reply-To: <727b3d7ec511589ab714874d6648ee4afa458e3c.camel@telenet.be> (Maxime Devos's message of "Mon, 20 Sep 2021 12:40:48 +0200")
Hi Maxime,
Maxime Devos <maximedevos@telenet.be> skribis:
> I've tried to patch the glibc package for the problems noted at
> <https://lists.gnu.org/archive/html/bug-hurd/2021-08/msg00007.html>;.
>
> I've found two recent patches (glibc-hurd-proc-reauth.patch and
> glibc-hurd-sendmsg-SCM_CREDS.patch) that appeared relevant. I tried
> to patch our glibc package with those patches.
>
> The modified tarball builds fine for --system=x86_64-linux, but not
> for --system=i586-gnu (tested with ./pre-inst-env guix build hello
> --system=i586-gnu). Any idea what's happening here?
Thanks for looking into it!
> From cdf38fbfcba4c87777d7ba2175f08e877dafe86a Mon Sep 17 00:00:00 2001
> From: Maxime Devos <maximedevos@telenet.be>
> Date: Mon, 13 Sep 2021 11:23:21 +0200
> Subject: [PATCH] WIP gnu: glibc: New security patches.
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
>
> The existence of the vulnerabilities was noted at
> <https://lists.gnu.org/archive/html/bug-hurd/2021-08/msg00007.html>.
>
> TODO: check if these are all necessary packages for glibc.
> TODO: why does the glibc tarball build for --system=x86_64-linux but not
> for --system=i586-gnu?
>
> Build error:
> ‘patching file hurd/hurdinit.c
> Hunk #1 FAILED at 177.
> 1 out of 1 hunk FAILED -- saving rejects to file hurd/hurdinit.c.rej’
>
> but this file isn't modified by the new patches!
>
> * gnu/local.mk (dist_patch_DATA): Register new patches.
> * gnu/packages/base.scm (glibc)[replacement]: Register replacement.
> (glibc/fixed): New variable.
> * gnu/packages/patches/glibc-hurd-proc-reauth.patch: New file.
> * gnu/packages/patches/glibc-hurd-sendmsg-SCM_CREDS.patch.
[...]
> --- a/gnu/packages/base.scm
> +++ b/gnu/packages/base.scm
> @@ -706,6 +706,7 @@ the store.")
> (package
> (name "glibc")
> (version "2.31")
> + (replacement glibc/fixed)
> (source (origin
> (method url-fetch)
> (uri (string-append "mirror://gnu/glibc/glibc-" version ".tar.xz"))
> @@ -966,6 +967,12 @@ with the Linux kernel.")
> (license lgpl2.0+)
> (home-page "https://www.gnu.org/software/libc/")))
>
> +(define glibc/fixed
> + (package-with-extra-patches
> + glibc
> + (search-patches "glibc-hurd-sendmsg-SCM_CREDS.patch"
> + "glibc-hurd-proc-reauth.patch")))
Instead of a replacement, which makes no sense on GNU/Linux, could you
add a conditional phase for (hurd-target?) that applies the patches?
(On ‘core-updates’ (or ‘-frozen’?) we will apply patches
unconditionally.)
Not answering your initial question, but maybe the problem will vanish
if you do things this way, who knows. :-)
> +++ b/gnu/packages/patches/glibc-hurd-proc-reauth.patch
> @@ -0,0 +1,114 @@
> +Index: glibc-2.31/hurd/hurdsig.c
Please add a comment explaining what this patch does, what its status
is, with a link to upstream discussions.
Thank you!
Ludo’.
next prev parent reply other threads:[~2021-10-04 13:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-20 10:40 [bug#50698] [PATCH] WIP patches for recently-known hurd security vulnerabilities Maxime Devos
2021-10-04 13:52 ` Ludovic Courtès [this message]
2021-10-04 15:00 ` Maxime Devos
2021-10-08 7:40 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pmskq4mc.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=50698@debbugs.gnu.org \
--cc=maximedevos@telenet.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).