From: "Ludovic Courtès" <ludo@gnu.org>
To: Liliana Marie Prikler <liliana.prikler@gmail.com>
Cc: 66348@debbugs.gnu.org
Subject: [bug#66348] [PATCH RFC] gnu: glibc: Fix CVE-2023-4911.
Date: Sat, 07 Oct 2023 00:24:16 +0200 [thread overview]
Message-ID: <87ttr3xucv.fsf@gnu.org> (raw)
In-Reply-To: <b4b918de4fce8ab839b51740f2758dc13f9884d5.1696450898.git.liliana.prikler@gmail.com> (Liliana Marie Prikler's message of "Wed, 4 Oct 2023 21:27:13 +0200")
Hi Liliana,
Liliana Marie Prikler <liliana.prikler@gmail.com> skribis:
> * gnu/packages/patches/glibc-2.35-CVE-2023-4911.patch: New file.
> * gnu/local.mk: Register it here.
> * gnu/packages/base.scm (glibc/fixed): New variable.
> (glibc): Use it as replacement.
I’ve tested it and it LGTM.
I found a bug where the grafted libreoffice ends up indirectly referring
to the broken libc in addition to the fixed one:
--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix build libreoffice
/gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice-7.5.4.2
$ guix gc -R /gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice-7.5.4.2|grep glibc-2.35
/gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35
/gnu/store/ln6hxqjvz6m9gdd9s97pivlqck7hzs99-glibc-2.35
$ ./pre-inst-env guix build libreoffice --no-grafts
/gnu/store/f5iibn55pm70icnk16hd4a8hwchicrvf-libreoffice-7.5.4.2
$ guix gc -R /gnu/store/f5iibn55pm70icnk16hd4a8hwchicrvf-libreoffice-7.5.4.2|grep glibc-2.35
/gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35
$ guix graph -t references --path /gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice-7.5.4.2 /gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35
/gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice-7.5.4.2
/gnu/store/y392yldk4pbk4z5q587bz5n61hzbcf4g-mariadb-10.10.2-dev
/gnu/store/cilkyfnc5fxmpviyypci3d2881ik3nih-mariadb-10.10.2-lib
/gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35
--8<---------------cut here---------------end--------------->8---
Not a showstopper but we’ll need to investigate.
Another concern: we’ll be grafting every single package. It hurts
performance so we may want to “ungraft” in core-updates and get it
merged soon.
Thoughts?
Ludo’.
next prev parent reply other threads:[~2023-10-06 22:25 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-04 19:27 [bug#66348] [PATCH RFC] gnu: glibc: Fix CVE-2023-4911 Liliana Marie Prikler
2023-10-05 5:46 ` Liliana Marie Prikler
2023-10-06 22:24 ` Ludovic Courtès [this message]
2023-10-06 22:56 ` Liliana Marie Prikler
2023-10-11 21:24 ` Ludovic Courtès
2023-10-12 4:58 ` bug#66348: " Liliana Marie Prikler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ttr3xucv.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=66348@debbugs.gnu.org \
--cc=liliana.prikler@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).