GNU bug report logs - #27429
Stack clash (CVE-2017-1000366 etc)

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Mon, 19 Jun 2017 22:27:01 UTC

Severity: serious

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

Message #38 received at 27429 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: Mark H Weaver <mhw <at> netris.org>, 27429 <at> debbugs.gnu.org
Subject: Re: bug#27429: Stack clash (CVE-2017-1000366 etc)
Date: Wed, 21 Jun 2017 20:03:36 -0400

[Message part 1 (text/plain, inline)]
On Wed, Jun 21, 2017 at 07:52:27PM -0400, Leo Famulari wrote:
> On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
> > Had to make a small change to the patch, it turns out it couldn't build
> > the source for glibc <at> 2.21, so I changed the source to inherit from
> > glibc <at> 2.22 and not just from glibc. It doesn't change anything for the
> > actual glibc <at> 2.25.
> > 
> > -- 
> > Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
> > GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
> > Confidentiality cannot be guaranteed on emails sent or received unencrypted
> 
> > From ef14fa6db5eaedabbaa092cbed2b6f8ee903837c Mon Sep 17 00:00:00 2001
> > From: Efraim Flashner <efraim <at> flashner.co.il>
> > Date: Mon, 19 Jun 2017 23:13:53 +0300
> > Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
> > 
> > * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
> > (glibc-2.25-fixed): New variable.
> > (glibc <at> 2.24, glibc <at> 2.23, glibc <at> 2.22, glibc <at> 2.21)[source]: Add patches.
> > [replacement]: New field.
> > (glibc-locales)[replacement]: New field.
> > * gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New field.
> > * gnu/packages/patches/glibc-CVE-2017-1000366.patch,
> > gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch,
> > gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files.
> > * gnu/local.mk (dist_patch_DATA): Add them.
> 
> Thanks, I'm building a bare-bones disk image to test this patch.

Hm, I noticed the bootstrap binaries being downloaded, so I don't think
this patch applies the graft without causing a full rebuild.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 309 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.