GNU bug report logs - #27429
Stack clash (CVE-2017-1000366 etc)

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Mon, 19 Jun 2017 22:27:01 UTC

Severity: serious

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Mark H Weaver <mhw <at> netris.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 27429 <at> debbugs.gnu.org
Subject: bug#27429: Stack clash (CVE-2017-1000366 etc)
Date: Fri, 23 Jun 2017 16:03:24 -0400

Leo Famulari <leo <at> famulari.name> writes:

> On Fri, Jun 23, 2017 at 02:36:41PM -0400, Mark H Weaver wrote:
>> Most packages are linked with 'glibc-final' in (gnu packages
>> commencement), and we should expect them to now be linked with *its*
>> replacement.  Try this to find the expected glibc-final replacement:
>> 
>>   ./pre-inst-env guix build -e '((@@ (guix packages) package-replacement) (@@ (gnu packages commencement) glibc-final))'
>
> Thank you for the clarification. Indeed, with Efraim's latest patch,
> packages seem to be referring to the replacement for glibc-final.

That's good news!

> So, do we think this patch is ready to apply? AFAIK, nobody has yet
> tried upgrading a GuixSD system with this patch. I won't have access to
> my bare-metal GuixSD system for the next few days.

I think someone should try reconfiguring their GuixSD system and booting
into it before we apply it to master.  I might be able to do it tonight,
or else I can do it tomorrow.

       Mark

This bug report was last modified 7 years and 310 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #27429 Stack clash (CVE-2017-1000366 etc)

GNU bug report logs - #27429
Stack clash (CVE-2017-1000366 etc)