On Mon, Jun 19, 2017 at 08:49:20PM -0400, Leo Famulari wrote:
> On the glibc bugs (CVE-2016-1000366), civodul said:
> 
> [21:02:26]	<civodul>	lfam: i *think* GuixSD is immune to the LD_LIBRARY_PATH one, FWIW
> [...]
> [21:02:43]	<civodul>	lfam: because of the way is_trusted_path works in glibc
> 
> https://gnunet.org/bot/log/guix/2017-06-19#T1422600
> 
> Relevant upstream commits:
> 
> CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 programs [BZ #21624]
> https://sourceware.org/git/?p=glibc.git;a=commit;h=f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d
> 
> ld.so: Reject overly long LD_PRELOAD path elements
> https://sourceware.org/git/?p=glibc.git;a=commit;h=6d0ba622891bed9d8394eef1935add53003b12e8
> 
> ld.so: Reject overly long LD_AUDIT path elements:
> https://sourceware.org/git/?p=glibc.git;a=commit;h=81b82fb966ffbd94353f793ad17116c6088dedd9

I don't know if this is true or not, but I have a patch here locally
that seems to work against the CVE. I haven't downloaded the other
patches and added them, but with all the '(replacement #f)''s in place
it should just work to add them in to the glibc packages we have.

I'll wait and see before pushing the patch.


-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted