GNU bug report logs -
#28933
[PATCH] gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671.
Previous Next
Reported by: Marius Bakke <mbakke <at> fastmail.com>
Date: Sat, 21 Oct 2017 21:18:01 UTC
Severity: normal
Tags: patch
Done: Marius Bakke <mbakke <at> fastmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28933 in the body.
You can then email your comments to 28933 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#28933; Package
guix-patches.
(Sat, 21 Oct 2017 21:18:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Marius Bakke <mbakke <at> fastmail.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 21 Oct 2017 21:18:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/glibc-CVE-2017-15670-15671.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/base.scm (glibc/linux)[replacement]: New field.
(glibc/fixed): New variable.
---
gnu/local.mk | 1 +
gnu/packages/base.scm | 10 ++++++++
.../patches/glibc-CVE-2017-15670-15671.patch | 27 ++++++++++++++++++++++
3 files changed, 38 insertions(+)
create mode 100644 gnu/packages/patches/glibc-CVE-2017-15670-15671.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index a4e3426f5..6b70300ff 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -665,6 +665,7 @@ dist_patch_DATA = \
%D%/packages/patches/glibc-CVE-2017-1000366-pt1.patch \
%D%/packages/patches/glibc-CVE-2017-1000366-pt2.patch \
%D%/packages/patches/glibc-CVE-2017-1000366-pt3.patch \
+ %D%/packages/patches/glibc-CVE-2017-15670-15671.patch \
%D%/packages/patches/glibc-bootstrap-system.patch \
%D%/packages/patches/glibc-ldd-x86_64.patch \
%D%/packages/patches/glibc-locales.patch \
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index bc745351a..9c2ca149a 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -528,6 +528,7 @@ store.")
(package
(name "glibc")
(version "2.25")
+ (replacement glibc/fixed)
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/glibc/glibc-"
@@ -786,6 +787,15 @@ GLIBC/HURD for a Hurd host"
(define-syntax glibc
(identifier-syntax (glibc-for-target)))
+(define glibc/fixed
+ (package
+ (inherit glibc)
+ (source (origin
+ (inherit (package-source glibc))
+ (patches (append
+ (origin-patches (package-source glibc))
+ (search-patches "glibc-CVE-2017-15670-15671.patch")))))))
+
;; Below are old libc versions, which we use mostly to build locale data in
;; the old format (which the new libc cannot cope with.)
diff --git a/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch b/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch
new file mode 100644
index 000000000..76d688c51
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch
@@ -0,0 +1,27 @@
+Fix CVE-2017-15670:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670
+https://sourceware.org/bugzilla/show_bug.cgi?id=22320
+https://bugzilla.redhat.com/show_bug.cgi?id=1504804
+
+And CVE-2017-15671:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671
+https://sourceware.org/bugzilla/show_bug.cgi?id=22325
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15671
+
+Copied from upstream:
+<https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=2d1bd71ec70a31b01d01b734faa66bb1ed28961f>
+
+diff --git a/posix/glob.c b/posix/glob.c
+--- a/posix/glob.c
++++ b/posix/glob.c
+@@ -843,7 +843,7 @@
+ *p = '\0';
+ }
+ else
+- *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
++ *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
+ = '\0';
+ user_name = newp;
+ }
--
2.14.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#28933; Package
guix-patches.
(Sun, 22 Oct 2017 18:20:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 28933 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, Oct 21, 2017 at 11:17:32PM +0200, Marius Bakke wrote:
> * gnu/packages/patches/glibc-CVE-2017-15670-15671.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
> (glibc/fixed): New variable.
Thanks!
Do you think we need to do anything special with the glibc packages
besides glibc/linux, such as glibc/hurd, glibc-2.24, etc?
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#28933; Package
guix-patches.
(Sun, 22 Oct 2017 18:37:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 28933 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> On Sat, Oct 21, 2017 at 11:17:32PM +0200, Marius Bakke wrote:
>> * gnu/packages/patches/glibc-CVE-2017-15670-15671.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
>> (glibc/fixed): New variable.
>
> Thanks!
>
> Do you think we need to do anything special with the glibc packages
> besides glibc/linux, such as glibc/hurd, glibc-2.24, etc?
It probably should be picked to the earlier glibcs as well, IIRC the
affected code was from 1997. I'll try this and amend the patch.
Not sure about glibc/hurd, but I notice it does not have the other
security patches that 'glibc-2.23' has. Picking those should be left to
someone able to easily test it IMO.
Side-note: I was really surprised that grafting glibc had become *this
easy*, but it seems to work in my testing. I'll push this after
patching the older glibc variants unless there are further comments.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Marius Bakke <mbakke <at> fastmail.com>:
You have taken responsibility.
(Sun, 22 Oct 2017 21:16:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Marius Bakke <mbakke <at> fastmail.com>:
bug acknowledged by developer.
(Sun, 22 Oct 2017 21:16:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 28933-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Marius Bakke <mbakke <at> fastmail.com> writes:
> Leo Famulari <leo <at> famulari.name> writes:
>
>> On Sat, Oct 21, 2017 at 11:17:32PM +0200, Marius Bakke wrote:
>>> * gnu/packages/patches/glibc-CVE-2017-15670-15671.patch: New file.
>>> * gnu/local.mk (dist_patch_DATA): Register it.
>>> * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
>>> (glibc/fixed): New variable.
>>
>> Thanks!
>>
>> Do you think we need to do anything special with the glibc packages
>> besides glibc/linux, such as glibc/hurd, glibc-2.24, etc?
>
> It probably should be picked to the earlier glibcs as well, IIRC the
> affected code was from 1997. I'll try this and amend the patch.
Pushed to master as 60e29339d8389e678bb9ca4bd3420ee9ee88bdf2.
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 20 Nov 2017 12:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 274 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.