From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:36100)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e6L7T-0003lc-8g
	for guix-patches@gnu.org; Sun, 22 Oct 2017 14:37:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e6L7O-0000Ah-B3
	for guix-patches@gnu.org; Sun, 22 Oct 2017 14:37:07 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:47510)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1e6L7N-0000AX-VS
	for guix-patches@gnu.org; Sun, 22 Oct 2017 14:37:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e6L7N-0006Am-LD
	for guix-patches@gnu.org; Sun, 22 Oct 2017 14:37:01 -0400
Subject: [bug#28933] [PATCH] gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671.
Resent-Message-ID: <handler.28933.B28933.150869737223657@debbugs.gnu.org>
From: Marius Bakke <mbakke@fastmail.com>
In-Reply-To: <20171022181952.GA21850@jasmine.lan>
References: <20171021211732.13039-1-mbakke@fastmail.com>
	<20171022181952.GA21850@jasmine.lan>
Date: Sun, 22 Oct 2017 20:36:06 +0200
Message-ID: <87wp3nyqqx.fsf@fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: "Mark H. Weaver" <mhw@netris.org>, 28933@debbugs.gnu.org

--=-=-=
Content-Type: text/plain

Leo Famulari <leo@famulari.name> writes:

> On Sat, Oct 21, 2017 at 11:17:32PM +0200, Marius Bakke wrote:
>> * gnu/packages/patches/glibc-CVE-2017-15670-15671.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
>> (glibc/fixed): New variable.
>
> Thanks!
>
> Do you think we need to do anything special with the glibc packages
> besides glibc/linux, such as glibc/hurd, glibc-2.24, etc?

It probably should be picked to the earlier glibcs as well, IIRC the
affected code was from 1997.  I'll try this and amend the patch.

Not sure about glibc/hurd, but I notice it does not have the other
security patches that 'glibc-2.23' has.  Picking those should be left to
someone able to easily test it IMO.

Side-note: I was really surprised that grafting glibc had become *this
easy*, but it seems to work in my testing.  I'll push this after
patching the older glibc variants unless there are further comments.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlns5RYACgkQoqBt8qM6
VPrUsAf9GsII3bFSA/JaU40db0fatnSrpfPKqo0pRV2wjrS1Wgeer9IXqxdsJwus
wPohn3SrTqrW1I8JZBGSuiQkLTo2lJap7lj5Iu7q+HHlEQtdGNcnjyPy9jaTAfrH
03pdbV7bdPiyvTD9jZ1Xk7bSv5Xx/AJFcJncIKwjWUg6kqFGpx/GCcYyqaD65P7w
Mb4CIjTr3rMK6kYGpIKMLjS+btO090Y4kYuAFOK351yjoRSe25K7PTFdFMSdJXDx
FPeLxKOm27vKr9mK/kW0r/Enz2nTqT0LXDny4mIImcKzHnu7zFJV45sy0UblOguC
u3aJhmd9s8MLWsDjQR8MEpeK63VeIA==
=UhPE
-----END PGP SIGNATURE-----
--=-=-=--