GNU bug report logs - #28933
[PATCH] gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671.

Previous Next

Package: guix-patches;

Reported by: Marius Bakke <mbakke <at> fastmail.com>

Date: Sat, 21 Oct 2017 21:18:01 UTC

Severity: normal

Tags: patch

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

Full log

Message #11 received at 28933 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: "Mark H. Weaver" <mhw <at> netris.org>, 28933 <at> debbugs.gnu.org
Subject: Re: [bug#28933] [PATCH] gnu: glibc: Fix CVE-2017-15670,
 CVE-2017-15671.
Date: Sun, 22 Oct 2017 20:36:06 +0200

[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> On Sat, Oct 21, 2017 at 11:17:32PM +0200, Marius Bakke wrote:
>> * gnu/packages/patches/glibc-CVE-2017-15670-15671.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
>> (glibc/fixed): New variable.
>
> Thanks!
>
> Do you think we need to do anything special with the glibc packages
> besides glibc/linux, such as glibc/hurd, glibc-2.24, etc?

It probably should be picked to the earlier glibcs as well, IIRC the
affected code was from 1997.  I'll try this and amend the patch.

Not sure about glibc/hurd, but I notice it does not have the other
security patches that 'glibc-2.23' has.  Picking those should be left to
someone able to easily test it IMO.

Side-note: I was really surprised that grafting glibc had become *this
easy*, but it seems to work in my testing.  I'll push this after
patching the older glibc variants unless there are further comments.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 274 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.