GNU bug report logs - #27429
Stack clash (CVE-2017-1000366 etc)

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Mon, 19 Jun 2017 22:27:01 UTC

Severity: serious

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: Mark H Weaver <mhw <at> netris.org>, 27429 <at> debbugs.gnu.org
Subject: bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)]
Date: Fri, 30 Jun 2017 00:27:57 +0200

Leo Famulari <leo <at> famulari.name> skribis:

> On Thu, Jun 29, 2017 at 10:06:08PM +0200, Ludovic Courtès wrote:
>> Leo, let me know when you feel that we should start a new evaluation.
>
> First I want to ungraft today's libgcrypt and poppler replacements.
>
> I also want to apply the attached patch so we can stop using
> libgcrypt-1.5 with Shishi, and instead use the latest libgcrypt. This
> patch does require us to re-bootstrap Shishi, but I think it's worth it
> if it means we can drop the older libgcrypt package. Does anyone have
> feedback on this patch?

It’s a good idea.

> I'll do some local testing of this change in the next few hours and then
> start the evaluation.
>
> From 83fcaa7aac05f499a985ec02db55458e2d719de3 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo <at> famulari.name>
> Date: Thu, 29 Jun 2017 04:11:18 -0400
> Subject: [PATCH] gnu: shishi: Build with latest libgcrypt.
>
> * gnu/packages/patches/shishi-fix-libgcrypt-detection.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/kerberos.scm (shishi)[source]: Use it.
> [inputs]: Replace libgcrypt-1.5 with libgcrypt.
> [native-inputs]: Add bootstrapping inputs.
> [arguments]: Add a 'bootstrap' phase.
> * gnu/packages/gnupg.scm (libgcrypt-1.5): Remove variable.

[...]

>        (method url-fetch)
>        (uri (string-append "mirror://gnu/shishi/shishi-"
>                            version ".tar.gz"))
> +      (patches (search-patches "shishi-fix-libgcrypt-detection.patch"))
>        (sha256
>         (base32
>          "032qf72cpjdfffq1yq54gz3ahgqf2ijca4vl31sfabmjzq9q370d"))))
>      (build-system gnu-build-system)
> -    (native-inputs `(("pkg-config" ,pkg-config)))
> +    (arguments
> +     `(#:phases
> +       (modify-phases %standard-phases
> +         (add-before 'configure 'bootstrap
> +           (lambda _ (zero? (system* "autoreconf" "-vfi")))))))
> +    (native-inputs `(("pkg-config" ,pkg-config)
> +                     ;; XXX For bootstrapping. Remove for the next Shishi
> +                     ;; release after 1.0.2.
> +                     ("autoconf" ,autoconf)
> +                     ("automake" ,automake)
> +                     ("gettext" ,gnu-gettext)
> +                     ("libtool" ,libtool)
> +                     ("texinfo" ,texinfo)))

I think you can achieve the same result but without adding these
dependencies etc. just by adding:

  #:configure-flags '("ac_cv_libgcrypt=yes")

which I think is marginally better (but no big deal).

Thanks,
Ludo’.
This bug report was last modified 7 years and 360 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.