From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 21 17:17:55 2017 Received: (at submit) by debbugs.gnu.org; 21 Oct 2017 21:17:55 +0000 Received: from localhost ([127.0.0.1]:54676 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e619X-0007QS-4x for submit@debbugs.gnu.org; Sat, 21 Oct 2017 17:17:55 -0400 Received: from eggs.gnu.org ([208.118.235.92]:52445) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e619U-0007Q7-9s for submit@debbugs.gnu.org; Sat, 21 Oct 2017 17:17:54 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e619N-0002wC-GB for submit@debbugs.gnu.org; Sat, 21 Oct 2017 17:17:47 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:35735) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1e619N-0002w2-CD for submit@debbugs.gnu.org; Sat, 21 Oct 2017 17:17:45 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43408) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e619L-000563-Pl for guix-patches@gnu.org; Sat, 21 Oct 2017 17:17:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e619I-0002i6-AM for guix-patches@gnu.org; Sat, 21 Oct 2017 17:17:43 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:56863) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1e619I-0002cA-4l for guix-patches@gnu.org; Sat, 21 Oct 2017 17:17:40 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 737B320D69; Sat, 21 Oct 2017 17:17:38 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute5.internal (MEProxy); Sat, 21 Oct 2017 17:17:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=XE4eB7SOkB0x/uqcaSOErVa+w6R1E+3IIR88w2YbR t8=; b=Pt3S5Tr0rJbEXzzyqcrZRnq3VThkKU1Dtqoj6S2bmcsLGklVFWAi0oApX eGQOjZh/IeaTwd3dYoNE92bNmyo8v9uC4bNfExNJ9JHC9uiV3Nr4vr4z1SG42eEL 1cYo05yAJfiF+MMxira/zBZU3+yPrwDpTnHN90UlT5dWASmMOBdvNve5NFyLFiDo eg01wc/SG9XiBaA6B5C5KKuDiV5ZcchIQFRQp0TFr1eKzquJOmpugQ568qrSljHt bw9fTVkeldjpG2mqM4jo0NVynVAz22r0b/MWfQeDhY5T3BosCnONFGWxabojb53s 3Hkqys7E5AuNm5tgfgVulEL7a6N6Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=XE4eB7SOkB0x/uqca SOErVa+w6R1E+3IIR88w2YbRt8=; b=EAvyLgPpfPxLXLCM3r5TbpVABzhGGznur LhfvRbfceOV8j26KOZwB1sqgJ9A+c1LnvnyAOJsSojzTohmnZuMzDzPtmVItYlHS MQAQNUqPVfDKzSibeLVipwAsUH2vcX8tGF0ePA7pFd153HZKXW/1dCTdt+ksQfIJ 21W0MyuCOn/O1sD/1HglWyTBSdXda2CJe7yhf/u6WXcxfflAb8k/e9Mz5c3B76O3 w82VDzT1Bk6PKm0RYBaKBkF+HI80YO3sQ1fzWgPEts/8UFOkogb4NuplPzrXTV5h ahFBuAG5TQHP0dZB2XR2UZTewMnNU9Ed1NR+EOPlLL+bJk89lWUdQ== X-ME-Sender: Received: from localhost (cm-84.214.173.174.getinternet.no [84.214.173.174]) by mail.messagingengine.com (Postfix) with ESMTPA id F32F47FA8C; Sat, 21 Oct 2017 17:17:37 -0400 (EDT) From: Marius Bakke To: guix-patches@gnu.org Subject: [PATCH] gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671. Date: Sat, 21 Oct 2017 23:17:32 +0200 Message-Id: <20171021211732.13039-1-mbakke@fastmail.com> X-Mailer: git-send-email 2.14.2 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.4 (----) X-Debbugs-Envelope-To: submit Cc: Marius Bakke X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.4 (----) * gnu/packages/patches/glibc-CVE-2017-15670-15671.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/base.scm (glibc/linux)[replacement]: New field. (glibc/fixed): New variable. --- gnu/local.mk | 1 + gnu/packages/base.scm | 10 ++++++++ .../patches/glibc-CVE-2017-15670-15671.patch | 27 ++++++++++++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 gnu/packages/patches/glibc-CVE-2017-15670-15671.patch diff --git a/gnu/local.mk b/gnu/local.mk index a4e3426f5..6b70300ff 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -665,6 +665,7 @@ dist_patch_DATA = \ %D%/packages/patches/glibc-CVE-2017-1000366-pt1.patch \ %D%/packages/patches/glibc-CVE-2017-1000366-pt2.patch \ %D%/packages/patches/glibc-CVE-2017-1000366-pt3.patch \ + %D%/packages/patches/glibc-CVE-2017-15670-15671.patch \ %D%/packages/patches/glibc-bootstrap-system.patch \ %D%/packages/patches/glibc-ldd-x86_64.patch \ %D%/packages/patches/glibc-locales.patch \ diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index bc745351a..9c2ca149a 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -528,6 +528,7 @@ store.") (package (name "glibc") (version "2.25") + (replacement glibc/fixed) (source (origin (method url-fetch) (uri (string-append "mirror://gnu/glibc/glibc-" @@ -786,6 +787,15 @@ GLIBC/HURD for a Hurd host" (define-syntax glibc (identifier-syntax (glibc-for-target))) +(define glibc/fixed + (package + (inherit glibc) + (source (origin + (inherit (package-source glibc)) + (patches (append + (origin-patches (package-source glibc)) + (search-patches "glibc-CVE-2017-15670-15671.patch"))))))) + ;; Below are old libc versions, which we use mostly to build locale data in ;; the old format (which the new libc cannot cope with.) diff --git a/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch b/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch new file mode 100644 index 000000000..76d688c51 --- /dev/null +++ b/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch @@ -0,0 +1,27 @@ +Fix CVE-2017-15670: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670 +https://sourceware.org/bugzilla/show_bug.cgi?id=22320 +https://bugzilla.redhat.com/show_bug.cgi?id=1504804 + +And CVE-2017-15671: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671 +https://sourceware.org/bugzilla/show_bug.cgi?id=22325 +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15671 + +Copied from upstream: + + +diff --git a/posix/glob.c b/posix/glob.c +--- a/posix/glob.c ++++ b/posix/glob.c +@@ -843,7 +843,7 @@ + *p = '\0'; + } + else +- *((char *) mempcpy (newp, dirname + 1, end_name - dirname)) ++ *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1)) + = '\0'; + user_name = newp; + } -- 2.14.2 From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 22 14:19:59 2017 Received: (at 28933) by debbugs.gnu.org; 22 Oct 2017 18:19:59 +0000 Received: from localhost ([127.0.0.1]:56177 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e6Kqs-0005i4-Pp for submit@debbugs.gnu.org; Sun, 22 Oct 2017 14:19:58 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:56315) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e6Kqo-0005ht-Kw for 28933@debbugs.gnu.org; Sun, 22 Oct 2017 14:19:57 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 0908820A61; Sun, 22 Oct 2017 14:19:54 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Sun, 22 Oct 2017 14:19:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=Qg/0zJGB5EghrdF/8CuEf7RycG9GcRkbgO8rKShDkGw=; b=LFwZ3 hGbVucWitsb5CyFypUSRkqD7zgVkrwsRijwbSilwrbSWCIPBnMROmNr8Fuw7z135 5c4rRy76NxDJc2HF5DTRJI+9bPlIEte1BLvnTdUIEzzeIfp3AvwpZv1W8bNmaaDv WTT10/zrLaQwi0CjuoWpJYLqVbMqtNEETJJ420= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=Qg/0zJGB5EghrdF/8CuEf7RycG9Gc RkbgO8rKShDkGw=; b=IJ3kYrMCHHR536xNVaNNSvi1kum137ad7Frh2n4AhuDEt rr6mrZ1Vnbqx5LYSqqpfEtC7MshQEOH9ngpxHgmMiBI7auKKKOUuOUv8iN7huELZ zBLZyMww5S8ATkYjsMczaoZxPZ7fjDAUkfN1OrkRczdj5HqG86aBBwSVmjK5PYLz 81yzRM3U8TqDdGOMQyt2/xK5s584VPgcydNsdFsYdFHwxieLLsaMuYRFSZNJq+gK PanwJztnkMjVk4foJMg48mAygRbRN5AMLSdmYy49XQ5/vBBb1TULdJQ5qY40KDpW MYNX14VP/ZLzm2S33wsOVj2CkxJPPafA9veKVxgBA== X-ME-Sender: Received: from localhost (mdf2536d0.tmodns.net [208.54.37.223]) by mail.messagingengine.com (Postfix) with ESMTPA id B211124640; Sun, 22 Oct 2017 14:19:53 -0400 (EDT) Date: Sun, 22 Oct 2017 14:19:52 -0400 From: Leo Famulari To: Marius Bakke Subject: Re: [bug#28933] [PATCH] gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671. Message-ID: <20171022181952.GA21850@jasmine.lan> References: <20171021211732.13039-1-mbakke@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="uAKRQypu60I7Lcqm" Content-Disposition: inline In-Reply-To: <20171021211732.13039-1-mbakke@fastmail.com> User-Agent: Mutt/1.9.1 (2017-09-22) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 28933 Cc: "Mark H. Weaver" , 28933@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Oct 21, 2017 at 11:17:32PM +0200, Marius Bakke wrote: > * gnu/packages/patches/glibc-CVE-2017-15670-15671.patch: New file. > * gnu/local.mk (dist_patch_DATA): Register it. > * gnu/packages/base.scm (glibc/linux)[replacement]: New field. > (glibc/fixed): New variable. Thanks! Do you think we need to do anything special with the glibc packages besides glibc/linux, such as glibc/hurd, glibc-2.24, etc? --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlns4UgACgkQJkb6MLrK fwj2Sw/+MilyHrnjQ539LT77MaDFMTpyKMxYApGW7emC61lKXm3iL7+9358gFTKE ap+aCNksANKpgdDGfLDyjvfj+CsU76CDHzWFDBhRJTT+T3l9oSS235PkD4djVwSc 5NNWLv0v+RT7O1hkKq6cHV8eHhjc4Dellvdq9kmHh2oH68GvimVm5VEpwGbZ00MI kPgOTmbxy3sgwE9gWkDxxa7ryBTOHIjg4nEvDiE5o37MjqYzI/xM/LPYLpqg54U+ uqEktWCVcgILhepxpq6XU2ZNFJjH7qJ+j0bm5DfkpkrhE4blynYbI+5dqdebpMZS iv/6tSVSIfJIqV1xGhlEEk3aUvlhZjlvY99OplqOO3o3uTcsHmP6uU1nE/V4U9e9 bh3fBeTmd+Scy34TI+5olaR0S4w8F8HiNnnmjTzS5x5p3Wk8s1t+v/up6n9zXeJ1 iEpYaYD8F//JzhqZ+PwoorFVTVDQziy2XbdiDo+26w9jfvtm0XASTWIbsrNyzn9J AAJUr0d0x3oKS0sUjzhCotVEszKDaeOG9LNXsbP1NaZ5Kx9VmqeiS52oEwJvnZ0P UaCXOtY77BYWUo0IKRCZAZMfRn7vchy8vD4aR360jrhcWfwqR7owL4yLBQeP0uZT jUmY9KyYZG/JDXpqstTZUOf9LzehW9q65YFzR7LzEswxT4Sbgmc= =HcO7 -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm-- From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 22 14:36:11 2017 Received: (at 28933) by debbugs.gnu.org; 22 Oct 2017 18:36:12 +0000 Received: from localhost ([127.0.0.1]:56191 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e6L6Z-00069V-O9 for submit@debbugs.gnu.org; Sun, 22 Oct 2017 14:36:11 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:48787) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e6L6W-00069I-7Z for 28933@debbugs.gnu.org; Sun, 22 Oct 2017 14:36:10 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 051ED20994; Sun, 22 Oct 2017 14:36:08 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute5.internal (MEProxy); Sun, 22 Oct 2017 14:36:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=9BAm1mcHiCVtNH8I8K7XWYrrS9dsmqeVlREMnzS2QF4=; b=rlAKBE83 M3BtMF/diNKAXh1g0i40n4sf0+JDtfTudfyaEAX1M3rzRJtR9A0ZR14r0tzxFPYM OJJWghpjfXYtWBDOrsBhNkpK/6Gtxg4dSa+hdepa+Lf8OxOPYd+aOys/aKdEnlJR C3R+6SGno+agSxkOSOyibXUsKVX625z5yCxfWspm/iwn829coaXgyPdiedsppaKR WL6uuSEMJgo1JQwHGZ555NP00SKVsbd/fvVLOYmb0OWetaBp5kh8wfVdxeu3CwWR 9tMOALZf7XERWQYeR6B09+NTeTz+vvHoekSo8ghEm6Upmr80fDAok4F9/EcBmEJS PTU93c/G1EcVOA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=9BAm1mcHiCVtNH8I8K7XWYrrS9dsm qeVlREMnzS2QF4=; b=pk8BROBasK1Y+9seW2nU8F/6EOUPhijZSFSJQaeA+s0bO xL0LVF16w1D+K3OB7qDgoT/9u7Q9/EVZ6NW6oGvi7qEpjFpB5TkIUsaSHN3dqDga uarqqC/R2932dYSVwz9xDRJu5uE2bvXpp7PjeBZJpsmDFchB/eNqw5aM+6e6GhIq q80N4a3ZeBIlRT7/twnnxYknQoagMNVxC1EY9LYYTLA7K9lz8jfseLbvUD/4T4u3 pksjnZjr42H4jGpvRB0NgV2AaUdpvVRenmFjt8xLkRdNLvKEJOYlreRZfnVrn1YD rxMfoLo4y1+YRtrnh61/awrlQbiSLBG92TUn78cHQ== X-ME-Sender: Received: from localhost (cm-84.214.173.174.getinternet.no [84.214.173.174]) by mail.messagingengine.com (Postfix) with ESMTPA id 815377E3E1; Sun, 22 Oct 2017 14:36:07 -0400 (EDT) From: Marius Bakke To: Leo Famulari Subject: Re: [bug#28933] [PATCH] gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671. In-Reply-To: <20171022181952.GA21850@jasmine.lan> References: <20171021211732.13039-1-mbakke@fastmail.com> <20171022181952.GA21850@jasmine.lan> User-Agent: Notmuch/0.25.1 (https://notmuchmail.org) Emacs/25.3.1 (x86_64-pc-linux-gnu) Date: Sun, 22 Oct 2017 20:36:06 +0200 Message-ID: <87wp3nyqqx.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 28933 Cc: "Mark H. Weaver" , 28933@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain Leo Famulari writes: > On Sat, Oct 21, 2017 at 11:17:32PM +0200, Marius Bakke wrote: >> * gnu/packages/patches/glibc-CVE-2017-15670-15671.patch: New file. >> * gnu/local.mk (dist_patch_DATA): Register it. >> * gnu/packages/base.scm (glibc/linux)[replacement]: New field. >> (glibc/fixed): New variable. > > Thanks! > > Do you think we need to do anything special with the glibc packages > besides glibc/linux, such as glibc/hurd, glibc-2.24, etc? It probably should be picked to the earlier glibcs as well, IIRC the affected code was from 1997. I'll try this and amend the patch. Not sure about glibc/hurd, but I notice it does not have the other security patches that 'glibc-2.23' has. Picking those should be left to someone able to easily test it IMO. Side-note: I was really surprised that grafting glibc had become *this easy*, but it seems to work in my testing. I'll push this after patching the older glibc variants unless there are further comments. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlns5RYACgkQoqBt8qM6 VPrUsAf9GsII3bFSA/JaU40db0fatnSrpfPKqo0pRV2wjrS1Wgeer9IXqxdsJwus wPohn3SrTqrW1I8JZBGSuiQkLTo2lJap7lj5Iu7q+HHlEQtdGNcnjyPy9jaTAfrH 03pdbV7bdPiyvTD9jZ1Xk7bSv5Xx/AJFcJncIKwjWUg6kqFGpx/GCcYyqaD65P7w Mb4CIjTr3rMK6kYGpIKMLjS+btO090Y4kYuAFOK351yjoRSe25K7PTFdFMSdJXDx FPeLxKOm27vKr9mK/kW0r/Enz2nTqT0LXDny4mIImcKzHnu7zFJV45sy0UblOguC u3aJhmd9s8MLWsDjQR8MEpeK63VeIA== =UhPE -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 22 17:15:38 2017 Received: (at 28933-done) by debbugs.gnu.org; 22 Oct 2017 21:15:38 +0000 Received: from localhost ([127.0.0.1]:56296 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e6Nar-0005S9-Tp for submit@debbugs.gnu.org; Sun, 22 Oct 2017 17:15:38 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:47961) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e6Nan-0005Ry-OT for 28933-done@debbugs.gnu.org; Sun, 22 Oct 2017 17:15:36 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 7CE0B20BF6; Sun, 22 Oct 2017 17:15:31 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute5.internal (MEProxy); Sun, 22 Oct 2017 17:15:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=IRlwRNgVsdmOGc0BtW4eeuZQhidX1h3IfqVBDVrClfU=; b=uyzhF1vd xyMVAyMlQM4Tz7epuVbxZ9QhdXmRCx5qpBY3aVGucBvjzqetHFN32IOOvQgBWtBC TB+VS0Ljhs4L8Ve3TvfUpkGqp4KJBgZ559+D9zrJsjULGpbeXRlh00BYz68OeFeN wST+sK9rifFrwFbsjSBlQSAm5UJD5WkuAi3+/iUYY0NJFhu5VW4jlwXgSQZhn1GX sfPwcPspAoYg471sVI5ugBafBZFfqtQprx7lJTQ4IZkZgGgxCdtRMT5+b6Fpy0Ua zX4cK8cuhThlrW7rc270JuU8S0EqaTlC7Vu6Ln2FQdvsllJfNLH9k4ZslFU3ehjM MBPJS0Uxo5UovA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=IRlwRNgVsdmOGc0BtW4eeuZQhidX1 h3IfqVBDVrClfU=; b=qCCTSeJUyo8Lx9+cb6fzqWPBIEFXxw91Yr8CCKod2MjNo sMKVdt4fc+hboSdqZ9HOvG1IPIAxl0q6b3zeVOsLGkADsnX8P2bQOeq7e19hgTsA q0NQTPdsveyC8LLXNpdJInnKQGo7bP4bosWV9h8bdAsU5j+t6cvnsyvw4pA2RQvj snrVmHvQ8/G9te6IAsEnOmKkh8nlOHrgmBiOaRILFor7bYSX7GMiF+X5cItCzyCf KzfW7uHjFbkjEFxwXZMRfkL56Ee4V1r2h0ickuF5d97TvfE/0wN0QZRREL+0XTqL WrQxUNbuFubpHWodCAZ3AL4v+8+Z607JKhA5vkYpA== X-ME-Sender: Received: from localhost (cm-84.214.173.174.getinternet.no [84.214.173.174]) by mail.messagingengine.com (Postfix) with ESMTPA id 0E5C47EC36; Sun, 22 Oct 2017 17:15:30 -0400 (EDT) From: Marius Bakke To: Leo Famulari Subject: Re: [bug#28933] [PATCH] gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671. In-Reply-To: <87wp3nyqqx.fsf@fastmail.com> References: <20171021211732.13039-1-mbakke@fastmail.com> <20171022181952.GA21850@jasmine.lan> <87wp3nyqqx.fsf@fastmail.com> User-Agent: Notmuch/0.25.1 (https://notmuchmail.org) Emacs/25.3.1 (x86_64-pc-linux-gnu) Date: Sun, 22 Oct 2017 23:15:29 +0200 Message-ID: <87tvyqzxxq.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 28933-done Cc: "Mark H. Weaver" , 28933-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain Marius Bakke writes: > Leo Famulari writes: > >> On Sat, Oct 21, 2017 at 11:17:32PM +0200, Marius Bakke wrote: >>> * gnu/packages/patches/glibc-CVE-2017-15670-15671.patch: New file. >>> * gnu/local.mk (dist_patch_DATA): Register it. >>> * gnu/packages/base.scm (glibc/linux)[replacement]: New field. >>> (glibc/fixed): New variable. >> >> Thanks! >> >> Do you think we need to do anything special with the glibc packages >> besides glibc/linux, such as glibc/hurd, glibc-2.24, etc? > > It probably should be picked to the earlier glibcs as well, IIRC the > affected code was from 1997. I'll try this and amend the patch. Pushed to master as 60e29339d8389e678bb9ca4bd3420ee9ee88bdf2. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlntCnEACgkQoqBt8qM6 VPpAIAf+LWh522vWf4gNAutV5lUUFoRXe9qSFtmI3c2cnti+H9v42eGmEgOuOgU5 p0JOjXnG2u6bFd9zi2VFeZdyQwlkQj8xUm5xNKDpv2yDmhY11eBzZSvI5vqIw5hb hvnyCJgoxYS1s7wVLGxbqFNEi99URdN/UmYVon42eXdcHJEztVil4/oIglbpFjXP lEgZBKXU1hDS9q9Eu23mnWtP6KEagsoJIAkqidQvtzoSc/zgSMnmtCqnDc6JtKiQ +wLkVfmGnwd2QSFnAGrY+JU4olCnLL+0Lm5ff4i1jvmUnt2uU63bz7kVs1bLdTVb ZvIrdVHs6LzvixRUMK2/cLgcr3RKVg== =gZ1J -----END PGP SIGNATURE----- --=-=-=-- From unknown Tue Aug 19 21:03:37 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 20 Nov 2017 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator