GNU bug report logs - #27429
Stack clash (CVE-2017-1000366 etc)

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Mon, 19 Jun 2017 22:27:01 UTC

Severity: serious

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Mark H Weaver <mhw <at> netris.org>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: 27429 <at> debbugs.gnu.org, Efraim Flashner <efraim <at> flashner.co.il>, Leo Famulari <leo <at> famulari.name>
Subject: bug#27429: Stack clash (CVE-2017-1000366 etc)
Date: Mon, 26 Jun 2017 07:19:12 -0400

Hi Ludovic,

ludo <at> gnu.org (Ludovic Courtès) writes:

> Mark H Weaver <mhw <at> netris.org> skribis:
>
>> I tried to copy the .drv files for the grafted 'glibc-final' and
>> 'glibc-final-with-bootstrap-bash' from my machine to Hydra, in order to
>> ask Hydra to build it, but both "guix copy" and "guix archive --export"
>> failed:
>>
>> mhw <at> jojen ~$ guix copy --to=hydra <at> hydra
>> /gnu/store/17gcwll4a2y3cjk8jf3fg2gr105m9f4i-glibc-2.25.drv
>> /gnu/store/78j5arbcgjfbj0m91fn6p5s71kz7w2yw-glibc-2.25.drv
>> sending 11 store items to 'localhost'...
>> guix copy: error: corrupt input while restoring archive from #<closed: file 231bbd0>
>> mhw <at> jojen ~$ guix archive --export
>> /gnu/store/17gcwll4a2y3cjk8jf3fg2gr105m9f4i-glibc-2.25.drv
>> /gnu/store/78j5arbcgjfbj0m91fn6p5s71kz7w2yw-glibc-2.25.drv >
>> GRAFTED-GLIBC-DRVS.nar
>> guix archive: error: corrupt input while restoring archive from #<closed: file 17e9d20>
>
> Apparently they got built at some point.

Yes, I ran "guix pull" for user mhw on Hydra, and then asked it to build
a grafted 'hello' for all three hydra-supported platforms.  This
entailed building a grafted 'glibc-final' as well as 'perl' and 'expat'.
I then ran:

  guix challenge --substitute-urls=https://hydra.gnu.org /gnu/store/...

to generate narinfo requests for the relevant outputs, on the theory
that this would cause guix-publish to build NARs.  (Am I right?)

> As for the problems above: error reporting in ‘guix copy’ is suboptimal
> (help welcome!), and the ‘guix archive --export’ problem looks like a
> bug; could you report it?

Sure.

>> I'm concerned that i686 and armhf users are going to have a rude
>> awakening when they not only have to build two variants of glibc, but
>> also a bunch of the early bootstrap because the NARs are not available
>> on Hydra.  It would be good if someone could take care of that.
>
> Doing:
>
> $ ./pre-inst-env guix build -e '(begin (use-modules (guix)) (package-replacement (@@ (gnu packages commencement) glibc-final)))' -s i686-linux --log-file --no-grafts
> https://mirror.hydra.gnu.org/log/ivvdx2m0p6gnmcxmz355z106ffqg9p25-glibc-2.25.drv
>
>
> I see that glibc fails to build on i686 (but I think you’ve just fixed
> it?):

Yes, I fixed the i686 problem in commit
ffc015bea26f24d862e7e877d907fbe1ab9a9967.  FYI, this problem was
reported as a separate bug, which is now closed:

  https://bugs.gnu.org/27489

      Thanks,
        Mark
This bug report was last modified 7 years and 309 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.