From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id IBkhN96UXWcitAAAe85BDQ:P1 (envelope-from ) for ; Sat, 14 Dec 2024 14:23:27 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id IBkhN96UXWcitAAAe85BDQ (envelope-from ) for ; Sat, 14 Dec 2024 15:23:27 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=jxCr+VBL; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=HZAazOK2; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1734186206; a=rsa-sha256; cv=none; b=c74Pp9yxQmuQqMJ2FzcOCYw0yLu3ey0eeawZP7M64vLIiYNMiHqqvqbPeBZvzXfGEA62+8 2OLvaotASJppPv/mdLGleeMujCnU1Pt4aR2uLnk0sFxCn3wK5Eizi8ttrB9XJmPAc7C4rI HgnL5VsU0GszAg1ec4DH8/RbYjvHzonZcY6Y4L7Z59BURY/APPqH9txZS6NTUJ28O096RI 6Rv+yPq8fFeHQrQGuydKK3yHINc+XA48q7ne76eV7qaI19pFaZZfsxyuTAUUlgHe0Go+EB R45pOS3OW/JrB9JsmwDN5YFi7ncXZAe8t8XiIPDk4hAwZ8cgAr7MDy3ONKZrlg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=jxCr+VBL; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=HZAazOK2; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1734186206; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=a6ONGS/XN5v5g3tzv3YNrp0n1iqNL6hytVVZY2DVRDg=; b=XSgTclhtpFuTzjOay9Ml+9WvUGTS95ApIm/5Ha2NvpCCkfu8geyTxp6PSLlsFwsldNs5YF G92nKW2oTA4xlqZl2rgtUOiRkARRZpdRRBcncVGkRQ17MQbtq5qeP8n7gvkqRnUWGw1Y3u f3ZGqwSvczzmn9qaIInKIXmzdue6udT3Likbewl1TG+AA2hDQUD+gBttXWsN24xJTy/70P UVINq0vWmW/K4WRPxYVLycl6Wsm2FL91G+19AHEfz73I8aS8bJitgIGnzLZn8i/GezPwxw LJGoyUT3SlhA7ak/aMtIDcwxcNms0EH9PNy4jGJCjVBoXavdZLdX96wpiB+yUQ== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3B8AA14E1 for ; Sat, 14 Dec 2024 15:23:26 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tMT31-0001bl-Vm; Sat, 14 Dec 2024 09:23:12 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tMT2x-0001bO-Pj for bug-guix@gnu.org; Sat, 14 Dec 2024 09:23:07 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tMT2v-0004ip-LK; Sat, 14 Dec 2024 09:23:05 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:In-Reply-To:References:Subject; bh=a6ONGS/XN5v5g3tzv3YNrp0n1iqNL6hytVVZY2DVRDg=; b=jxCr+VBLa+BdBFvaobol6z3gg5bq49dLUZRgdjiHGCJY1D4WtGJp7nLa3S4YfGSSR9mdq8Ko3S2PwvvcbQxPqYmD33jTSABqfBaYNqd10FnLglWxtTd39313pUOc1n5onN2H/1vvPBgdr51OKrVKhmA1THcIXdChDd5BV8PKHJCmouv0CAKkroCiZQv+lFeiDTjh9R+sjufCMBqwrQUFdZwvwXWBjdd+Oasb5hnPunVhPwUny0AzMNLnzXI59jZvlDZjZyi9px2wrptAtmJ09aeNy7NH/XH8ejXyhkztkZ6ds0dHNVKo2FiiOOKTLhMCXpu+x2EWuAe7o2bEx5iHLA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tMT2r-0003tD-O7; Sat, 14 Dec 2024 09:23:01 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#70581: [PATCH] gnu: glibc: Graft with fix for CVE-2024-2961. References: In-Reply-To: Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: cnx@loang.net, liliana.prikler@ist.tugraz.at, ludo@gnu.org, andreas@enge.fr, janneke@gnu.org, bug-guix@gnu.org Resent-Date: Sat, 14 Dec 2024 14:23:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70581 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 70581@debbugs.gnu.org Cc: Maxim Cournoyer , guix-security@gnu.org, McSinyx , Liliana Marie Prikler , Ludovic =?UTF-8?Q?Court=C3=A8s?= , Andreas Enge , Janneke Nieuwenhuizen X-Debbugs-Original-Xcc: McSinyx , Liliana Marie Prikler , Ludovic =?UTF-8?Q?Court=C3=A8s?= , Andreas Enge , Janneke Nieuwenhuizen Received: via spool by 70581-submit@debbugs.gnu.org id=B70581.173418613814871 (code B ref 70581); Sat, 14 Dec 2024 14:23:01 +0000 Received: (at 70581) by debbugs.gnu.org; 14 Dec 2024 14:22:18 +0000 Received: from localhost ([127.0.0.1]:46009 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tMT28-0003ri-Kk for submit@debbugs.gnu.org; Sat, 14 Dec 2024 09:22:17 -0500 Received: from mail-pf1-f177.google.com ([209.85.210.177]:55390) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tMT24-0003rY-ET for 70581@debbugs.gnu.org; Sat, 14 Dec 2024 09:22:14 -0500 Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-728eedfca37so2861724b3a.2 for <70581@debbugs.gnu.org>; Sat, 14 Dec 2024 06:22:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1734186070; x=1734790870; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=a6ONGS/XN5v5g3tzv3YNrp0n1iqNL6hytVVZY2DVRDg=; b=HZAazOK2T6blBbkX7YVWIWvRRH0tk97MDJCRBOC2H8Mi6UID40olFK7+I55paX3kNd mGxAoARZ3Hp4dVVGOnp7dRyipWUu2k3N+YdenTkIslrDggTpQXlOv5rCxluT7G0M1z3D BHSIS0JZrDludtMK7cF5ST6c058ODtKEPyhhthqOeN93Hti8hmq+Swxxeh2upxMw1yg3 nhHro/yYJhYh6Kxyex4g1x1PbEph1ZOqFq/2/HL4cJEN9BIa3NsY9BQwd/uBx2fjrgRb 0PMbgaxf42s/4ZRyXfhYo9bYkJm7eoi/S0i9xEiZHgQZTzhmyeYc1qUXW0uTbwqius+r sNQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734186070; x=1734790870; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=a6ONGS/XN5v5g3tzv3YNrp0n1iqNL6hytVVZY2DVRDg=; b=YgQcJhEBYKX2qzLrkym3mXjDCAcCbPc4+SLYIwaMeNzRneruL5p3j+EgkID7/ZkqYA g8ZW7S9mrijJViv6wfnrjbll/q3FlXc5RT0TfcCo3kgtLnVbVyl/7cxuuy5ktazNYVfR IBqre76ZdYbT+8r6NfQP2/jcB+T/rR/zkQaYeb1DSx1X9amnGNWrtTIshGTWbztd1Tzp CrSlJIDmPS0tXmDkiMnsLCdqB+aNuxJuX7v1cUIlK++Aw2bfXFeFElLaujz1tujVgpcU syDHA7hYsDIa6PaiXzrazYD2S5lO12ZCDmb4Sp5yG/k/nLGFbOuJr/B+Gg/M+B+f3vSX r15w== X-Gm-Message-State: AOJu0YyMlUt3cmER3oAqvUIaXmagpGmb5CVxVgeVkptHN3t4Rmep7VoM 8TJrueim1muyZdR7dzNukpc8vKCqnjr04+3mKuT2JOBGEiomcxnbuI+L1A== X-Gm-Gg: ASbGncv4YuZ7Yxc2yaNapio1ob8sXtyztYJiOoSEP4yUqUd4g+ONKmyn7TCz5D/Azrr isyD6qormCPkiRSrPluResHCnnZeWbmJHR0twQZhgAKk0X0JRTAhQBn8Yij2O3WBGpY8LtlLpFH VOtfUT8QnsPzkimxCKQ9eUGALOuMXK2Dn8zcq/x/5wmRDxb4/aLM1lvRrearUfipff6kEWnU7Ru JRGieua40cUqZnT3Tz6eRllCrCQrVEKvHP7mlgFW/OmfjxG8g2duAHH4g2+Pt/sgchcgtw2tlI= X-Google-Smtp-Source: AGHT+IHdBW7TGV6OWMRhkckdJh3ixGuyyLBLAZm4x/IQPrBEdAY7SlGQ58oWl6YBr6aUtW5H9beryw== X-Received: by 2002:a05:6a20:3947:b0:1e0:c8d9:3382 with SMTP id adf61e73a8af0-1e1dfe6a67bmr9192679637.45.1734186069979; Sat, 14 Dec 2024 06:21:09 -0800 (PST) Received: from localhost.localdomain ([2405:6586:be0:0:c8ff:1707:9b9:af89]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72918ad5c07sm1514516b3a.60.2024.12.14.06.21.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 14 Dec 2024 06:21:09 -0800 (PST) From: Maxim Cournoyer Date: Sat, 14 Dec 2024 23:20:53 +0900 Message-ID: X-Mailer: git-send-email 2.46.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.81 X-Spam-Score: -2.81 X-Migadu-Queue-Id: 3B8AA14E1 X-Migadu-Scanner: mx12.migadu.com X-TUID: uQV/LiuAfmCr * gnu/packages/base.scm (%glibc-patches): New variable. (glibc) [source]: Use it. [properties]: Mark CVE-2024-2961 as hidden (resolved). [replacement]: Add field to graft with... (glibc/fixed): ... this new package. Fixes: Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9 --- gnu/packages/base.scm | 55 ++++++++++++++++++++++++++++++++----------- 1 file changed, 41 insertions(+), 14 deletions(-) diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index b3f54798c4..a060ed556d 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -878,6 +878,21 @@ (define* (make-ld-wrapper name #:key (home-page "https://www.gnu.org/software/guix//") (license gpl3+))) +(define %glibc-patches + (list "glibc-2.39-git-updates.patch" + "glibc-ldd-powerpc.patch" + "glibc-2.38-ldd-x86_64.patch" + "glibc-dl-cache.patch" + "glibc-2.37-versioned-locpath.patch" + ;; "glibc-allow-kernel-2.6.32.patch" + "glibc-reinstate-prlimit64-fallback.patch" + "glibc-supported-locales.patch" + "glibc-2.37-hurd-clock_t_centiseconds.patch" + "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch" + "glibc-hurd-mach-print.patch" + "glibc-hurd-gettyent.patch" + "glibc-hurd-getauxval.patch")) + (define-public glibc ;; This is the GNU C Library, used on GNU/Linux and GNU/Hurd. Prior to ;; version 2.28, GNU/Hurd used a different glibc branch. @@ -890,21 +905,11 @@ (define-public glibc (sha256 (base32 "09nrwb0ksbah9k35jchd28xxp2hidilqdgz7b8v5f30pz1yd8yzp")) - (patches (search-patches "glibc-2.39-git-updates.patch" - "glibc-ldd-powerpc.patch" - "glibc-2.38-ldd-x86_64.patch" - "glibc-dl-cache.patch" - "glibc-2.37-versioned-locpath.patch" - ;; "glibc-allow-kernel-2.6.32.patch" - "glibc-reinstate-prlimit64-fallback.patch" - "glibc-supported-locales.patch" - "glibc-2.37-hurd-clock_t_centiseconds.patch" - "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch" - "glibc-hurd-mach-print.patch" - "glibc-hurd-gettyent.patch" - "glibc-hurd-getauxval.patch")))) - (properties `((lint-hidden-cve . ("CVE-2024-33601" "CVE-2024-33602" + (patches (map search-patch %glibc-patches)))) + (properties `((lint-hidden-cve . ("CVE-2024-2961" + "CVE-2024-33601" "CVE-2024-33602" "CVE-2024-33600" "CVE-2024-33599")))) + (replacement glibc/fixed) (build-system gnu-build-system) ;; Glibc's refers to , for instance, so glibc @@ -1182,6 +1187,28 @@ (define-public glibc (license lgpl2.0+) (home-page "https://www.gnu.org/software/libc/"))) +(define glibc/fixed + (package + (inherit glibc) + (name "glibc") + (version (package-version glibc)) + (source (origin + (method git-fetch) + (uri (git-reference + (url "git://sourceware.org/git/glibc.git") + ;; This is the latest commit from the + ;; 'release/2.39/master' branch, where CVEs and other + ;; important bug fixes are cherry picked. + (commit "2c882bf9c15d206aaf04766d1b8e3ae5b1002cc2"))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "111yf24g0qcfcxywfzrilmjxysahlbkzxfimcz9rq8p00qzvvf51")) + (patches (map search-patch + (fold (cut delete <...>) + %glibc-patches + '("glibc-2.39-git-updates.patch")))))))) + ;; Define a variation of glibc which uses the default /etc/ld.so.cache, useful ;; in FHS containers. (define-public glibc-for-fhs base-commit: 93e1586116f39a30ba1fcb67bd839a43533dfaf4 -- 2.46.0