From: Christopher Baines <mail@cbaines.net>
To: "Léo Le Bouter" <lle-bout@zaclys.net>
Cc: 46959@debbugs.gnu.org
Subject: [bug#46959] [PATCH 0/1] WIP: gnu: newlib: Fix CVE-2021-3420.
Date: Sun, 07 Mar 2021 13:57:05 +0000 [thread overview]
Message-ID: <871rcrnk26.fsf@cbaines.net> (raw)
In-Reply-To: <20210306050410.11022-1-lle-bout@zaclys.net>
[-- Attachment #1: Type: text/plain, Size: 1917 bytes --]
Léo Le Bouter via Guix-patches via <guix-patches@gnu.org> writes:
> newlib-CVE-2021-3420.patch needs backporting to the versions of newlib it is
> being applied to, so if you are interested or a user of those packages please
> finish the work, otherwise well CVE-2021-3420 will probably remain unfixed.
>
> The versions of newlib are too old and too specific for it to be
> maintainable security-wise, especially considering upstream does not seem to
> maintain older versions at all. I don't think GNU Guix should take that role,
> but of course the people who depend on these packages can ensure they are good
> enough for themselves, otherwise contribute changes.
>
> Léo Le Bouter (1):
> gnu: newlib: Fix CVE-2021-3420.
>
> gnu/local.mk | 1 +
> gnu/packages/embedded.scm | 6 +-
> .../patches/newlib-CVE-2021-3420.patch | 105 ++++++++++++++++++
> 3 files changed, 110 insertions(+), 2 deletions(-)
> create mode 100644 gnu/packages/patches/newlib-CVE-2021-3420.patch
Hey,
Looking at [1] and following through the "View comparison" links, it
seems that there's some problems applying the patch added here, I can't
see a case where it's applied successfully.
1: https://patches.guix-patches.cbaines.net/project/guix-patches/patch/20210306050521.11571-1-lle-bout@zaclys.net/
Unfortunately this data is still a bit hidden, but if you click on
"Compare package derivations", get all the results, then find
newlib@3.0.0-0.3ccfb40 and look at the build for x86_64-linux, you
should get to this page [2] and from the "Required failed builds", I'm
guessing the source part of the package build has failed.
2: https://data.guix-patches.cbaines.net/build-server/5/build?build_server_build_id=dd289414-7653-4b63-8b3c-7a55cdf55820
Any ideas? What packages should build with this change?
Thanks,
Chris
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 987 bytes --]
next prev parent reply other threads:[~2021-03-07 13:58 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-06 5:04 [bug#46959] [PATCH 0/1] WIP: gnu: newlib: Fix CVE-2021-3420 Léo Le Bouter via Guix-patches via
2021-03-06 5:05 ` [bug#46959] [PATCH] " Léo Le Bouter via Guix-patches via
2021-03-07 13:57 ` Christopher Baines [this message]
2021-03-09 5:17 ` [bug#46959] [PATCH 0/1] WIP: " Léo Le Bouter via Guix-patches via
2021-03-09 7:58 ` Christopher Baines
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871rcrnk26.fsf@cbaines.net \
--to=mail@cbaines.net \
--cc=46959@debbugs.gnu.org \
--cc=lle-bout@zaclys.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.