From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id LL/kAZcNQ2CQWQAA0tVLHw (envelope-from ) for ; Sat, 06 Mar 2021 05:05:27 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id MN7ROJYNQ2D/DAAAB5/wlQ (envelope-from ) for ; Sat, 06 Mar 2021 05:05:26 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C272E29C17 for ; Sat, 6 Mar 2021 06:05:25 +0100 (CET) Received: from localhost ([::1]:59336 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lIP80-0003fr-Gn for larch@yhetil.org; Sat, 06 Mar 2021 00:05:24 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:58100) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lIP7e-0003fh-Ix for guix-patches@gnu.org; Sat, 06 Mar 2021 00:05:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:52553) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lIP7e-0003KQ-BV for guix-patches@gnu.org; Sat, 06 Mar 2021 00:05:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lIP7e-00014W-6A for guix-patches@gnu.org; Sat, 06 Mar 2021 00:05:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#46959] [PATCH 0/1] WIP: gnu: newlib: Fix CVE-2021-3420. Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 06 Mar 2021 05:05:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 46959 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 46959@debbugs.gnu.org Cc: =?UTF-8?Q?L=C3=A9o?= Le Bouter X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16150070664073 (code B ref -1); Sat, 06 Mar 2021 05:05:02 +0000 Received: (at submit) by debbugs.gnu.org; 6 Mar 2021 05:04:26 +0000 Received: from localhost ([127.0.0.1]:35866 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lIP74-00013c-5Z for submit@debbugs.gnu.org; Sat, 06 Mar 2021 00:04:26 -0500 Received: from lists.gnu.org ([209.51.188.17]:60948) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lIP70-00013T-OS for submit@debbugs.gnu.org; Sat, 06 Mar 2021 00:04:25 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:58076) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lIP70-0003d3-HP for guix-patches@gnu.org; Sat, 06 Mar 2021 00:04:22 -0500 Received: from mail.zaclys.net ([178.33.93.72]:42793) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lIP6y-0002sK-AL for guix-patches@gnu.org; Sat, 06 Mar 2021 00:04:21 -0500 Received: from localhost.localdomain (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12654HlK006703 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sat, 6 Mar 2021 06:04:17 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12654HlK006703 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1615007058; bh=j+C/3iLSVI9lvRSE1dLQs/nQIaGQZ28cKt5FgKUl/iU=; h=From:To:Cc:Subject:Date:From; b=cQ4GNMfWINw7N+B8+Mt0J1BT50h+g8XH8CuASHPdP1ZcXtl4BHnkSENP+WVoIGJ5v 8tZz7IQ7aV2WerKf6+vo5+YBREFPIcU5fATZ9QeSNGIACR75moIkiipUJn8w2eViGo STB2pYh/qPBKvahNlvmwiklVcRYjoHddqJHjBXPM= Date: Sat, 6 Mar 2021 06:04:09 +0100 Message-Id: <20210306050410.11022-1-lle-bout@zaclys.net> X-Mailer: git-send-email 2.30.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: =?UTF-8?Q?L=C3=A9o?= Le Bouter X-ACL-Warn: , =?UTF-8?Q?L=C3=A9o?= Le Bouter via Guix-patches From: =?UTF-8?Q?L=C3=A9o?= Le Bouter via Guix-patches via X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615007126; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=j+C/3iLSVI9lvRSE1dLQs/nQIaGQZ28cKt5FgKUl/iU=; b=iHpI1q3ymhLsMpVDZI3ipgKQxUAa9JGvb1r2bf/Dxxh3t4AVNwFa1XbvWh6L/LtCyd8p76 sT+2fpKD2vU3OZO+nOHEEZwAvEDZiFwUA7pH+NWyk5olrtZaJEBIwlo8N/BWnfzWTwho+G vPRbEk7GrxBDT2TUqrc7PnWM/379FRZ5IV1vHbLW8dNnLu55hwfYTP21wEWPUlf0xpgMte liTADyfw9p8keIrW/5I041F1f+F8MF8I/09OfVld+NOIz5LHJ56ZeKTcKUfb8hWT67PngU Ueh/m2jka5E1I6MY7EV5ViMXMudCSaUZnPdzV0D2xFK897Y7Ef08s52OuJ/YXQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615007126; a=rsa-sha256; cv=none; b=k+s9pDZzYunP2rce29bK0nKwZvL1T8xWozudA7ixkgTTDFig+ESylY3rf7b9qCUpNzvEcq h+19e/R69oeSl2PeYR3onbdkhZtaw/8+PLLEKGJii61ctbtSIweQG7ZUIHUCgubmSiDlNI 6iP8/F3D7rd2BQkjJ85O+FCBF2Ptk5NZS8Dvncztc4GcymiPenc+7TyxPlknzBaixy9Ck3 MfOZnHf8Q1ctW04pvIyI0CLM3s0uh/Amm2ma/+01BxSE9bS1XULXc2x8zpL5GwgSxoE5v4 UFICyC4F8f7mx+EfcQ+3xIgEAhoUt305DCESlX2QorZuZs4/6PUmpD+xhVacug== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=cQ4GNMfW; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -2.87 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=cQ4GNMfW; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: C272E29C17 X-Spam-Score: -2.87 X-Migadu-Scanner: scn0.migadu.com X-TUID: jZ9x6umES25M newlib-CVE-2021-3420.patch needs backporting to the versions of newlib it is being applied to, so if you are interested or a user of those packages please finish the work, otherwise well CVE-2021-3420 will probably remain unfixed. The versions of newlib are too old and too specific for it to be maintainable security-wise, especially considering upstream does not seem to maintain older versions at all. I don't think GNU Guix should take that role, but of course the people who depend on these packages can ensure they are good enough for themselves, otherwise contribute changes. Léo Le Bouter (1): gnu: newlib: Fix CVE-2021-3420. gnu/local.mk | 1 + gnu/packages/embedded.scm | 6 +- .../patches/newlib-CVE-2021-3420.patch | 105 ++++++++++++++++++ 3 files changed, 110 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/newlib-CVE-2021-3420.patch -- 2.30.1