bug#70581: PHP, glibc, and CVE-2024-2961

bug#70581: PHP, glibc, and CVE-2024-2961

[McSinyx via Bug reports for GNU Guix]

Hello Guix,

Last week, an overflow bug in glibc's iconv(3) was discovered:
https://www.openwall.com/lists/oss-security/2024/04/17/9

It may enable remove code execution through PHP.  Due to
the immutable nature of Guix, is it possible to hotpatch
this using graft, or do we need to rebuild to world?
https://rockylinux.org/news/glibc-vulnerability-april-2024/

Kind regards,
McSinyx

bug#70581: PHP, glibc, and CVE-2024-2961

[Liliana Marie Prikler]

Hi McSinyx,

security-relevant bugs ought to go to <guix-security@gnu.org>, see [1].
Since a patch exists for glibc all the way back to 2.30, I suppose a
graft can be used and should be performed timely. 

Cheers

[1] https://guix.gnu.org/en/security/

bug#70581: [PATCH] gnu: glibc: Graft with fix for CVE-2024-2961.

[Maxim Cournoyer]

* gnu/packages/base.scm (%glibc-patches): New variable.
(glibc) [source]: Use it.
[properties]: Mark CVE-2024-2961 as hidden (resolved).
[replacement]: Add field to graft with...
(glibc/fixed): ... this new package.

Fixes: <https://issues.guix.gnu.org/70581>
Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9
---
 gnu/packages/base.scm | 55 ++++++++++++++++++++++++++++++++-----------
 1 file changed, 41 insertions(+), 14 deletions(-)

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index b3f54798c4..a060ed556d 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -878,6 +878,21 @@ (define* (make-ld-wrapper name #:key
     (home-page "https://www.gnu.org/software/guix//")
     (license gpl3+)))
 
+(define %glibc-patches
+  (list "glibc-2.39-git-updates.patch"
+        "glibc-ldd-powerpc.patch"
+        "glibc-2.38-ldd-x86_64.patch"
+        "glibc-dl-cache.patch"
+        "glibc-2.37-versioned-locpath.patch"
+        ;; "glibc-allow-kernel-2.6.32.patch"
+        "glibc-reinstate-prlimit64-fallback.patch"
+        "glibc-supported-locales.patch"
+        "glibc-2.37-hurd-clock_t_centiseconds.patch"
+        "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch"
+        "glibc-hurd-mach-print.patch"
+        "glibc-hurd-gettyent.patch"
+        "glibc-hurd-getauxval.patch"))
+
 (define-public glibc
   ;; This is the GNU C Library, used on GNU/Linux and GNU/Hurd.  Prior to
   ;; version 2.28, GNU/Hurd used a different glibc branch.
@@ -890,21 +905,11 @@ (define-public glibc
             (sha256
              (base32
               "09nrwb0ksbah9k35jchd28xxp2hidilqdgz7b8v5f30pz1yd8yzp"))
-            (patches (search-patches "glibc-2.39-git-updates.patch"
-                                     "glibc-ldd-powerpc.patch"
-                                     "glibc-2.38-ldd-x86_64.patch"
-                                     "glibc-dl-cache.patch"
-                                     "glibc-2.37-versioned-locpath.patch"
-                                     ;; "glibc-allow-kernel-2.6.32.patch"
-                                     "glibc-reinstate-prlimit64-fallback.patch"
-                                     "glibc-supported-locales.patch"
-                                     "glibc-2.37-hurd-clock_t_centiseconds.patch"
-                                     "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch"
-                                     "glibc-hurd-mach-print.patch"
-                                     "glibc-hurd-gettyent.patch"
-                                     "glibc-hurd-getauxval.patch"))))
-   (properties `((lint-hidden-cve . ("CVE-2024-33601" "CVE-2024-33602"
+            (patches (map search-patch %glibc-patches))))
+   (properties `((lint-hidden-cve . ("CVE-2024-2961"
+                                     "CVE-2024-33601" "CVE-2024-33602"
                                      "CVE-2024-33600" "CVE-2024-33599"))))
+   (replacement glibc/fixed)
    (build-system gnu-build-system)
 
    ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
@@ -1182,6 +1187,28 @@ (define-public glibc
    (license lgpl2.0+)
    (home-page "https://www.gnu.org/software/libc/")))
 
+(define glibc/fixed
+  (package
+    (inherit glibc)
+    (name "glibc")
+    (version (package-version glibc))
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "git://sourceware.org/git/glibc.git")
+                    ;; This is the latest commit from the
+                    ;; 'release/2.39/master' branch, where CVEs and other
+                    ;; important bug fixes are cherry picked.
+                    (commit "2c882bf9c15d206aaf04766d1b8e3ae5b1002cc2")))
+              (file-name (git-file-name name version))
+              (sha256
+               (base32
+                "111yf24g0qcfcxywfzrilmjxysahlbkzxfimcz9rq8p00qzvvf51"))
+              (patches (map search-patch
+                            (fold (cut delete <...>)
+                                  %glibc-patches
+                                  '("glibc-2.39-git-updates.patch"))))))))
+
 ;; Define a variation of glibc which uses the default /etc/ld.so.cache, useful
 ;; in FHS containers.
 (define-public glibc-for-fhs

base-commit: 93e1586116f39a30ba1fcb67bd839a43533dfaf4
-- 
2.46.0