From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id XU72KwrcRGDNXwAA0tVLHw
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 07 Mar 2021 13:58:34 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id YIJLJwrcRGB0QQAA1q6Kng
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 07 Mar 2021 13:58:34 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 3B74D20A20
	for <larch@yhetil.org>; Sun,  7 Mar 2021 14:58:34 +0100 (CET)
Received: from localhost ([::1]:50118 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	id 1lItvV-0007H2-0T
	for larch@yhetil.org; Sun, 07 Mar 2021 08:58:33 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:55874)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lItv0-0007Gu-Vo
 for guix-patches@gnu.org; Sun, 07 Mar 2021 08:58:03 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:55695)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lItuz-0004I0-OC
 for guix-patches@gnu.org; Sun, 07 Mar 2021 08:58:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lItuz-0006KR-Nl
 for guix-patches@gnu.org; Sun, 07 Mar 2021 08:58:01 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#46959] [PATCH 0/1] WIP: gnu: newlib: Fix CVE-2021-3420.
Resent-From: Christopher Baines <mail@cbaines.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Sun, 07 Mar 2021 13:58:01 +0000
Resent-Message-ID: <handler.46959.B46959.161512543324257@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 46959
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@zaclys.net>
Cc: 46959@debbugs.gnu.org
Received: via spool by 46959-submit@debbugs.gnu.org id=B46959.161512543324257
 (code B ref 46959); Sun, 07 Mar 2021 13:58:01 +0000
Received: (at 46959) by debbugs.gnu.org; 7 Mar 2021 13:57:13 +0000
Received: from localhost ([127.0.0.1]:39008 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lItuC-0006JB-Lu
 for submit@debbugs.gnu.org; Sun, 07 Mar 2021 08:57:12 -0500
Received: from mira.cbaines.net ([212.71.252.8]:53628)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mail@cbaines.net>) id 1lItu9-0006J0-VO
 for 46959@debbugs.gnu.org; Sun, 07 Mar 2021 08:57:10 -0500
Received: from localhost (unknown [IPv6:2a02:8010:68c1:0:8ac0:b4c7:f5c8:7caa])
 by mira.cbaines.net (Postfix) with ESMTPSA id 0C3D927BC50;
 Sun,  7 Mar 2021 13:57:09 +0000 (GMT)
Received: from capella (localhost [127.0.0.1])
 by localhost (OpenSMTPD) with ESMTP id 77d9d817;
 Sun, 7 Mar 2021 13:57:08 +0000 (UTC)
References: <20210306050410.11022-1-lle-bout@zaclys.net>
User-agent: mu4e 1.4.15; emacs 27.1
From: Christopher Baines <mail@cbaines.net>
In-reply-to: <20210306050410.11022-1-lle-bout@zaclys.net>
Date: Sun, 07 Mar 2021 13:57:05 +0000
Message-ID: <871rcrnk26.fsf@cbaines.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1615125514;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:in-reply-to:in-reply-to:references:references:
	 list-id:list-help:list-unsubscribe:list-subscribe:list-post;
	bh=GPpX+FJGruMS4/IE9xzLCFw7WVLgpOawt40k5tpszwU=;
	b=JJ8TbeQOky1W+voYrqQNlpqjYT9HfVkaTdeVzac7tvlxW2guT/x+ncoJTGhR/iWYemLkqI
	aNQRH6fRBuPbNpnwrzZdtHjl9d6/Ohh7paXpUZYwXgFuKBJUTjg6LLGy6uqZDO5u0JlSuy
	Jw8aWjPdh6RUvJFTwRDCQ//DnPyWtsAe3ok2f+PlD7BUCtdt2a8o4wM2CRslQm218MpjQN
	Ft9XH/+yLbN1X9FzeYO53m8Bk6pn+O0qrtowT2xr8e58BezZVkOo7GYH/YEwppyM54nYAv
	1MYi24vJ1m/ymua58hPg11ZHO7lF+wKhTio4vkkRc0PrtX5YexDP7cz4zmNOkQ==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615125514; a=rsa-sha256; cv=none;
	b=QtJsOX7iV5KC+MCbnLtL7ydieSGv+VwQbMtZnMztt+2fvWcU0cYuuDyOjgN53JX20c+FYZ
	L1GMOWk8hEcXi0i2tFZ10SQ0maTg9RZ3Z3PqCQP/2R3MOj13c4lkqmjW1G10HeIq7dm3CN
	6/v0RPfuMitS0BeH69QTDocG17RS97dxqcUhw/kFixd8OKudrT7PT9uRbLcTr/vys0afPF
	haj1iH20OdIq6LA8JgTs7qPKkC3Zw6jhp8WDxhv9dtU33QORmNvMuOtNFyBTD7260Va7MI
	WG7JbRbP8Zg1zpXr1u1TH+k7s2v0xCNpPz/K7v8h5mOd8ys1F6zz084HX8Tznw==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org
X-Migadu-Spam-Score: -4.47
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org
X-Migadu-Queue-Id: 3B74D20A20
X-Spam-Score: -4.47
X-Migadu-Scanner: scn0.migadu.com
X-TUID: yui3HvhLGdpt

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


L=C3=A9o Le Bouter via Guix-patches via <guix-patches@gnu.org> writes:

> newlib-CVE-2021-3420.patch needs backporting to the versions of newlib it=
 is
> being applied to, so if you are interested or a user of those packages pl=
ease
> finish the work, otherwise well CVE-2021-3420 will probably remain unfixe=
d.
>
> The versions of newlib are too old and too specific for it to be
> maintainable security-wise, especially considering upstream does not seem=
 to
> maintain older versions at all. I don't think GNU Guix should take that r=
ole,
> but of course the people who depend on these packages can ensure they are=
 good
> enough for themselves, otherwise contribute changes.
>
> L=C3=A9o Le Bouter (1):
>   gnu: newlib: Fix CVE-2021-3420.
>
>  gnu/local.mk                                  |   1 +
>  gnu/packages/embedded.scm                     |   6 +-
>  .../patches/newlib-CVE-2021-3420.patch        | 105 ++++++++++++++++++
>  3 files changed, 110 insertions(+), 2 deletions(-)
>  create mode 100644 gnu/packages/patches/newlib-CVE-2021-3420.patch

Hey,

Looking at [1] and following through the "View comparison" links, it
seems that there's some problems applying the patch added here, I can't
see a case where it's applied successfully.

1: https://patches.guix-patches.cbaines.net/project/guix-patches/patch/2021=
0306050521.11571-1-lle-bout@zaclys.net/

Unfortunately this data is still a bit hidden, but if you click on
"Compare package derivations", get all the results, then find
newlib@3.0.0-0.3ccfb40 and look at the build for x86_64-linux, you
should get to this page [2] and from the "Required failed builds", I'm
guessing the source part of the package build has failed.

2: https://data.guix-patches.cbaines.net/build-server/5/build?build_server_=
build_id=3Ddd289414-7653-4b63-8b3c-7a55cdf55820

Any ideas? What packages should build with this change?

Thanks,

Chris

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmBE27FfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh
aW5lcy5uZXQACgkQXiijOwuE9XcYbg/9FtshF5jHipG1Hj77sHNp1IwinQU4rJxD
RTpdebExGr6ojVsBx0SlpBriVEmS7icA+7O4rhmGxxJapmn+tYSaJqMx2io/tzIn
tv9wjq2t0qrMCNRMA3CQWoW54yaKBIJOn/UezNCxEnfb63KPhQP6Ulg2iC6z8g3U
3S2bQM2LeC/XD0pojz3TyLre8hyabv7jzDpUGj1JEbpxK7+n2ypKiPO2TxeRu4tm
0ln9hiq3sr5+lKHfVhLz0rtDIFr3LxiuyI7t4OwKR8T49TMiDI9R9wyUqVpOzMRC
EdcIxQKiviVCw+dbQke0fxRNvlqEexV3fLA9QV94K9z2OFowYwgAtXF1jYy7mqWU
/taDlaBf0uWUBx//x8jMOOsQm0l7M/r1MVVtfaLDrNN5LiSNzly0n6fhDNlr7wQM
1e5HTdSGacAWBlmpuWKgpMsJLbiRN4QbPz98ukVqCMDoCxoHzfKLpQT9kVLjS7Pz
u3qcWlt1ICWtPd1sm7tuxuGqIGjzgj6oBF6FvUjx8S9E+s1TVymNVWkwSR9EQaFF
lcQ8D06Ux9NOSGT37865xNgBRlpQzH0ogyqlSNNupk+hw7GLjjtsAN4QE7Sqma/C
Cvxo8b/hx6F4132uZOEt1jA5ILR+Bh7wpV4o9baBIkHD+NL5kciSubs+6KL0fzy7
s7ur4mP1GIA=
=RYxy
-----END PGP SIGNATURE-----
--=-=-=--