On Tue, Jun 20, 2017 at 05:44:42PM -0400, Mark H Weaver wrote: > Hi Efraim, > > Thanks so much for working on this! > > Grafting glibc is something we haven't done before to my knowledge, and > it is a bit tricky because of all of the inherited versions of glibc. > At present, those inherited versions are not expressed in such a way to > make grafting work. > > One important tool is the 'package/inherit' macro, which I added to > (guix packages) in early May to facilitate another graft. In order to > graft 'glibc' properly, we'll first need to use 'package/inherit' in a > couple of places, I think. > I like your optimism :) > Efraim Flashner writes: > > > From 2a83d2a8265314af3d8b16f86187897223567d6e Mon Sep 17 00:00:00 2001 > > From: Efraim Flashner > > Date: Mon, 19 Jun 2017 23:13:53 +0300 > > Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366. > > > > * gnu/packages/base.scm (glibc)[replacement]: New field. > > Please write (glibc/linux) instead of (glibc) above, since that's the > variable whose definition is being changed. noted > > See below for more comments. > > > (glibc-2.25-fixed): New variable. > > (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patch. > > [replacement]: New field. > > (glibc-locales)[replacement]: New field. > > * gnu/packages/commencement.scm (glibc-final-with-bootstrap-bash, > > cross-gcc-wrapper, glibc-final)[replacement]: New field. > > * gnu/packages/patches/glibc-CVE-2017-1000366.patch: New file. > > * gnu/local.mk (dist_patch_DATA): Add it. > > --- > > gnu/local.mk | 1 + > > gnu/packages/base.scm | 39 +++++++++++++++++++---- > > gnu/packages/commencement.scm | 4 +++ > > gnu/packages/patches/glibc-CVE-2017-1000366.patch | 33 +++++++++++++++++++ > > 4 files changed, 71 insertions(+), 6 deletions(-) > > create mode 100644 gnu/packages/patches/glibc-CVE-2017-1000366.patch > > > > diff --git a/gnu/local.mk b/gnu/local.mk > > index ae4a59af0..6b598335b 100644 > > --- a/gnu/local.mk > > +++ b/gnu/local.mk > > @@ -632,6 +632,7 @@ dist_patch_DATA = \ > > %D%/packages/patches/ghostscript-runpath.patch \ > > %D%/packages/patches/glib-networking-ssl-cert-file.patch \ > > %D%/packages/patches/glib-tests-timer.patch \ > > + %D%/packages/patches/glibc-CVE-2017-1000366.patch \ > > %D%/packages/patches/glibc-bootstrap-system.patch \ > > %D%/packages/patches/glibc-ldd-x86_64.patch \ > > %D%/packages/patches/glibc-locales.patch \ > > Your changes to (gnu packages base) look good to me, so I've omitted > them. In particular, you are right to add (replacement #f) in the > places where you've done so. > > > diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm > > index 1b41feac1..42892bbe8 100644 > > --- a/gnu/packages/commencement.scm > > +++ b/gnu/packages/commencement.scm > > @@ -3,6 +3,7 @@ > > ;;; Copyright © 2014 Andreas Enge > > ;;; Copyright © 2012 Nikita Karetnikov > > ;;; Copyright © 2014, 2015 Mark H Weaver > > +;;; Copyright © 2017 Efraim Flashner > > ;;; > > ;;; This file is part of GNU Guix. > > ;;; > > @@ -469,6 +470,7 @@ the bootstrap environment." > > (package-with-bootstrap-guile > > (package (inherit glibc) > > (name "glibc-intermediate") > > + (replacement #f) > > (arguments > > `(#:guile ,%bootstrap-guile > > #:implicit-inputs? #f > > @@ -540,6 +542,7 @@ the bootstrap environment." > > that makes it available under the native tool names." > > (package (inherit gcc) > > (name (string-append (package-name gcc) "-wrapped")) > > + (replacement #f) > > (source #f) > > (build-system trivial-build-system) > > (outputs '("out")) > > @@ -642,6 +645,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%" > > ;; The final glibc, which embeds the statically-linked Bash built above. > > (package (inherit glibc-final-with-bootstrap-bash) > > (name "glibc") > > + (replacement #f) > > (inputs `(("static-bash" ,static-bash-for-glibc) > > ,@(alist-delete > > "static-bash" > > The problem here is that almost all of the software in Guix is linked > against glibc-final, and you've suppressed the replacement for it. This > is where the 'package/inherit' macro becomes useful. > > I think we need to enable grafting for both > 'glibc-final-with-bootstrap-bash' and 'glibc-final', by replacing > > (package (inherit GLIBC-FOO) > ...) > > with: > > (package/inherit GLIBC-FOO > ...) > > and remove the (replacement #f) override from those two packages, > because 'package/inherit' will implicitly override 'replacement' as > appropriate. > > Would you like to try this? I haven't looked closely at this part of the code yet so its like magic to me still. > > > diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366.patch b/gnu/packages/patches/glibc-CVE-2017-1000366.patch > > new file mode 100644 > > index 000000000..106e81d91 > > --- /dev/null > > +++ b/gnu/packages/patches/glibc-CVE-2017-1000366.patch > > @@ -0,0 +1,33 @@ > > +From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001 > > +From: Florian Weimer > > +Date: Mon, 19 Jun 2017 17:09:55 +0200 > > +Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 > > + programs [BZ #21624] > > + > > +LD_LIBRARY_PATH can only be used to reorder system search paths, which > > +is not useful functionality. > > + > > +This makes an exploitable unbounded alloca in _dl_init_paths unreachable > > +for AT_SECURE=1 programs. > > +--- > > + ChangeLog | 7 +++++++ > > + elf/rtld.c | 3 ++- > > + 2 files changed, 9 insertions(+), 1 deletion(-) > > + > > +diff --git a/elf/rtld.c b/elf/rtld.c > > +index 2446a87..2269dbe 100644 > > +--- a/elf/rtld.c > > ++++ b/elf/rtld.c > > +@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep) > > + > > + case 12: > > + /* The library search path. */ > > +- if (memcmp (envline, "LIBRARY_PATH", 12) == 0) > > ++ if (!__libc_enable_secure > > ++ && memcmp (envline, "LIBRARY_PATH", 12) == 0) > > + { > > + library_path = &envline[13]; > > + break; > > +-- > > +2.9.3 > > + > > What about the other two patches? Namely, quoting Leo: > > > ld.so: Reject overly long LD_PRELOAD path elements > > https://sourceware.org/git/?p=glibc.git;a=commit;h=6d0ba622891bed9d8394eef1935add53003b12e8 > > > > ld.so: Reject overly long LD_AUDIT path elements: > > https://sourceware.org/git/?p=glibc.git;a=commit;h=81b82fb966ffbd94353f793ad17116c6088dedd9 now added > > One more thing: since this grafting of 'glibc' is unprecedented and has > the potential for breakage, I think it should be tested as follows: > someone running GuixSD should reconfigure their entire system using the > grafted 'glibc', and they should boot into it to make sure nothing > obvious is broken, before we commit. > > Also, we should check the references and make sure that the fixed glibc > is actually being used. > > Thank you! > > Mark After making the changes I built glibc, by which I mean I built at least gettext-boot0, glibc-final, perl, glibc, expat, and probably a bit more. On my 10 year old laptop it took about 2 hours. @ build-succeeded /gnu/store/974hryqa5fprrymyjkmcfrzn3qmv0dgq-glibc-2.25.drv - /gnu/store/kczijfli8cb0qjyrfzbrd06bdrpic7lx-glibc-2.25-debug /gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25 real 125m16.297s user 0m32.896s sys 0m3.840s efraim@macbook42:~/workspace/guix$ guix gc --references /gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25/ /gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25 /gnu/store/946hwcxnd9w13gyqprs0fzkmyyz4hdar-bash-static-4.4.12 /gnu/store/n4fmp3fj1yam5ijwa64irg7glvzsq4i1-bash-4.4.12 /gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25o This doubling of glibc, bash and bash-static is the same as I got from 'guix gc --references $(./pre-inst-env guix build glibc)' on another machine efraim@macbook42:~/workspace/guix$ guix gc --references /gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25/ /gnu/store/02426nwiy32cscm4h83729vn5ws1gs2i-bash-static-4.4.12 /gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25 efraim@macbook42:~/workspace/guix$ ./pre-inst-env guix build --fallback -e '(@@ (gnu packages commencement) glibc-final)' ;;; note: source file /home/efraim/workspace/guix/gnu/packages/commencement.scm ;;; newer than compiled /home/efraim/workspace/guix/gnu/packages/commencement.go ;;; note: source file /home/efraim/workspace/guix/gnu/packages/base.scm ;;; newer than compiled /home/efraim/workspace/guix/gnu/packages/base.go /gnu/store/kbp13s4y4mbzww7vvld33di28im94xfi-glibc-2.25-debug /gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25 efraim@macbook42:~/workspace/guix$ ./pre-inst-env guix build --fallback python ...snip... grafting '/gnu/store/3aw9x28la9nh8fzkm665d7fywxzbl15j-python-3.5.3' -> '/gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3'... grafting '/gnu/store/9bv7jbk734bsk5zacq23wzp60xz06xs6-python-3.5.3-tk' -> '/gnu/store/7hgx1fw4kyc41c5dj963z2d1nsmdli6z-python-3.5.3-tk'... @ build-succeeded /gnu/store/pymxw6dzibylr5qwhdxzc7il0h07kk9z-python-3.5.3.drv - /gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3 /gnu/store/7hgx1fw4kyc41c5dj963z2d1nsmdli6z-python-3.5.3-tk efraim@macbook42:~/workspace/guix$ guix gc --references $(./pre-inst-env guix build python) ;;; note: source file /home/efraim/workspace/guix/gnu/packages/base.scm ;;; newer than compiled /home/efraim/workspace/guix/gnu/packages/base.go ;;; note: source file /home/efraim/workspace/guix/gnu/packages/commencement.scm ;;; newer than compiled /home/efraim/workspace/guix/gnu/packages/commencement.go /gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3 /gnu/store/7v66jlv8y005p2z5754jc1c6xf3rqybh-tk-8.6.6 /gnu/store/hiaxc08awfb6ygpssmlki8sjsxjcak5z-tcl-8.6.6 /gnu/store/p8k2id55pynzjmaixlns94phvr7mz5ls-gcc-5.4.0-lib /gnu/store/smddwh4gb0bf50js321vm88pvjlcfx04-libx11-1.6.5 /gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25 /gnu/store/328cimicdjz4w6hr0z7fzvcr9j6ijjvg-readline-7.0 /gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3 /gnu/store/8zhlrp7mq6ibmda8n530xn3ym6l3zhyq-openssl-1.0.2k /gnu/store/alygmq7pjlrwchpyi4ycxx0w6qgg8kfx-ncurses-6.0 /gnu/store/fd8d47zyhv6m0adv9w2lawhajav3s3ww-xz-5.2.2 /gnu/store/mmmv339r8ymx4fabffzwadjasfc0a5lx-zlib-1.2.11 /gnu/store/n4fmp3fj1yam5ijwa64irg7glvzsq4i1-bash-4.4.12 /gnu/store/nk2f8advrn50jmx0gx24lkqqjswgy0bj-coreutils-8.26 /gnu/store/p8k2id55pynzjmaixlns94phvr7mz5ls-gcc-5.4.0-lib /gnu/store/pwhhnz4mjky9l3mdswybsgsgl74k7qb9-sqlite-3.17.0 /gnu/store/wcrf85ndv977kky8fazvgbjaybgz758j-libffi-3.2.1 /gnu/store/y6mlqxch93asizcni9f50y4r1y48wbgj-gdbm-1.12 /gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25 efraim@macbook42:~/workspace/guix$ guix gc --references /gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3/ /gnu/store/328cimicdjz4w6hr0z7fzvcr9j6ijjvg-readline-7.0 /gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3 /gnu/store/8zhlrp7mq6ibmda8n530xn3ym6l3zhyq-openssl-1.0.2k /gnu/store/alygmq7pjlrwchpyi4ycxx0w6qgg8kfx-ncurses-6.0 /gnu/store/fd8d47zyhv6m0adv9w2lawhajav3s3ww-xz-5.2.2 /gnu/store/mmmv339r8ymx4fabffzwadjasfc0a5lx-zlib-1.2.11 /gnu/store/n4fmp3fj1yam5ijwa64irg7glvzsq4i1-bash-4.4.12 /gnu/store/nk2f8advrn50jmx0gx24lkqqjswgy0bj-coreutils-8.26 /gnu/store/p8k2id55pynzjmaixlns94phvr7mz5ls-gcc-5.4.0-lib /gnu/store/pwhhnz4mjky9l3mdswybsgsgl74k7qb9-sqlite-3.17.0 /gnu/store/wcrf85ndv977kky8fazvgbjaybgz758j-libffi-3.2.1 /gnu/store/y6mlqxch93asizcni9f50y4r1y48wbgj-gdbm-1.12 /gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25 So to me it looks like its working. Anyone want to try reconfiguring their system to make sure it doesn't break GuixSD? :) -- Efraim Flashner אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted