From unknown Mon Jun 23 04:12:35 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#29490 <29490@debbugs.gnu.org> To: bug#29490 <29490@debbugs.gnu.org> Subject: Status: [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671." Reply-To: bug#29490 <29490@debbugs.gnu.org> Date: Mon, 23 Jun 2025 11:12:35 +0000 retitle 29490 [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-1567= 1." reassign 29490 guix-patches submitter 29490 Marius Bakke severity 29490 normal tag 29490 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Tue Nov 28 12:09:59 2017 Received: (at submit) by debbugs.gnu.org; 28 Nov 2017 17:09:59 +0000 Received: from localhost ([127.0.0.1]:34919 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eJjOO-0001pj-32 for submit@debbugs.gnu.org; Tue, 28 Nov 2017 12:09:59 -0500 Received: from eggs.gnu.org ([208.118.235.92]:46565) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eJjOK-0001pV-Oh for submit@debbugs.gnu.org; Tue, 28 Nov 2017 12:09:55 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eJjOE-0003hg-9J for submit@debbugs.gnu.org; Tue, 28 Nov 2017 12:09:47 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:43115) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eJjOE-0003ha-5V for submit@debbugs.gnu.org; Tue, 28 Nov 2017 12:09:46 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37518) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eJjOC-0006cW-MQ for guix-patches@gnu.org; Tue, 28 Nov 2017 12:09:45 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eJjO9-0003gf-E8 for guix-patches@gnu.org; Tue, 28 Nov 2017 12:09:44 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:54229) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eJjO9-0003ga-A2 for guix-patches@gnu.org; Tue, 28 Nov 2017 12:09:41 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 9BB5C20BFF; Tue, 28 Nov 2017 12:09:40 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute5.internal (MEProxy); Tue, 28 Nov 2017 12:09:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=68wGav2X0ylY0/pXEDIpiXA7R4VBoYg77c9bVcRur 0Y=; b=1XcV4APGv/cMQ9K4yYqlcQrAl4gkyRzrRY6/UbcJ/j0cjZZuyn4x49ItY Cytvi9IQZfCNz6O3RVlnjqN0Ko2QM0wCsdvQrUkSMSJKH8pg9k2eLMhFeEcUC6ft 6cSH4kaC/YZ60qRUQh+DUkkSj+M8NDjvGm3edcAH7rBEsxunoO8EDR4KmegXNoGa ZCN81fwbUXaszUKlpbD0Jkx0O71bxPUbn8o8YCaTkCQ/17iLMZt6HDk/tOpFenjq keEoncnhsCMLov+eeulPSf8rx7cJwiCwhujjQ025eSNGPd64qANaBgXC2KlWuNQT 8eSgKN8ZFNZv96brtgLsDkrUaF8kg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=68wGav2X0ylY0/pXE DIpiXA7R4VBoYg77c9bVcRur0Y=; b=Y7VKbx6rAeBTHibBUWUSmq7ZdcTOTLiKU 3AT2E0pvvToS++WlpPGbuNcVTJBKQgocX5PeSQiIkBeO5Facsm9VzUm7+QVoKUjz SYYZfD+Sfa7qdeGBhteC001NDy4A0PYgttZp+jbHWQykkwTS2QzgPF3UVzDqvT+9 AU/BIISHq7A+UTA5otFepvFlZWpJ8po3d2RGLTPK8ngHPYrEjPlcMNZgHZThTcRS FKknGFV2wmlAY7SL8VD9RxdYwMtUAsHdes2N15glJU6U5Fhq78TCRcwzTze5WnK8 d/fKoFnB78M6zPpcUtLjwepgVD1aFBYeF4aXkCZfAprc0c99RdkVg== X-ME-Sender: Received: from localhost (cm-84.214.173.174.getinternet.no [84.214.173.174]) by mail.messagingengine.com (Postfix) with ESMTPA id 147DC7E1D9; Tue, 28 Nov 2017 12:09:39 -0500 (EST) From: Marius Bakke To: guix-patches@gnu.org Subject: [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671." Date: Tue, 28 Nov 2017 18:09:37 +0100 Message-Id: <20171128170937.31110-1-mbakke@fastmail.com> X-Mailer: git-send-email 2.15.0 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.4 (----) X-Debbugs-Envelope-To: submit Cc: Marius Bakke X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.4 (----) These issues has been classified as minor by Debian: https://security-tracker.debian.org/tracker/CVE-2017-15670 https://security-tracker.debian.org/tracker/CVE-2017-15671 ...and is not worth the cost of grafting and maintaining this patch. This reverts commit 60e29339d8389e678bb9ca4bd3420ee9ee88bdf2. --- gnu/local.mk | 1 - gnu/packages/base.scm | 13 ----------- .../patches/glibc-CVE-2017-15670-15671.patch | 27 ---------------------- 3 files changed, 41 deletions(-) delete mode 100644 gnu/packages/patches/glibc-CVE-2017-15670-15671.patch diff --git a/gnu/local.mk b/gnu/local.mk index 0a46bfd3d..7b2fb7c7a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -682,7 +682,6 @@ dist_patch_DATA = \ %D%/packages/patches/glibc-CVE-2017-1000366-pt1.patch \ %D%/packages/patches/glibc-CVE-2017-1000366-pt2.patch \ %D%/packages/patches/glibc-CVE-2017-1000366-pt3.patch \ - %D%/packages/patches/glibc-CVE-2017-15670-15671.patch \ %D%/packages/patches/glibc-bootstrap-system.patch \ %D%/packages/patches/glibc-ldd-x86_64.patch \ %D%/packages/patches/glibc-locales.patch \ diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 9cb628d8d..bc745351a 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -528,7 +528,6 @@ store.") (package (name "glibc") (version "2.25") - (replacement glibc/fixed) (source (origin (method url-fetch) (uri (string-append "mirror://gnu/glibc/glibc-" @@ -787,15 +786,6 @@ GLIBC/HURD for a Hurd host" (define-syntax glibc (identifier-syntax (glibc-for-target))) -(define glibc/fixed - (package - (inherit glibc) - (source (origin - (inherit (package-source glibc)) - (patches (append - (origin-patches (package-source glibc)) - (search-patches "glibc-CVE-2017-15670-15671.patch"))))))) - ;; Below are old libc versions, which we use mostly to build locale data in ;; the old format (which the new libc cannot cope with.) @@ -815,7 +805,6 @@ GLIBC/HURD for a Hurd host" "glibc-o-largefile.patch" "glibc-vectorized-strcspn-guards.patch" "glibc-CVE-2015-5180.patch" - "glibc-CVE-2017-15670-15671.patch" "glibc-CVE-2017-1000366-pt1.patch" "glibc-CVE-2017-1000366-pt2.patch" "glibc-CVE-2017-1000366-pt3.patch")))))) @@ -839,7 +828,6 @@ GLIBC/HURD for a Hurd host" "glibc-CVE-2016-3075.patch" "glibc-CVE-2016-3706.patch" "glibc-CVE-2016-4429.patch" - "glibc-CVE-2017-15670-15671.patch" "glibc-CVE-2017-1000366-pt1.patch" "glibc-CVE-2017-1000366-pt2.patch" "glibc-CVE-2017-1000366-pt3.patch")))))) @@ -862,7 +850,6 @@ GLIBC/HURD for a Hurd host" "glibc-CVE-2016-3075.patch" "glibc-CVE-2016-3706.patch" "glibc-CVE-2016-4429.patch" - "glibc-CVE-2017-15670-15671.patch" "glibc-CVE-2017-1000366-pt1.patch" "glibc-CVE-2017-1000366-pt2.patch" "glibc-CVE-2017-1000366-pt3.patch")))) diff --git a/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch b/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch deleted file mode 100644 index 76d688c51..000000000 --- a/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch +++ /dev/null @@ -1,27 +0,0 @@ -Fix CVE-2017-15670: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670 -https://sourceware.org/bugzilla/show_bug.cgi?id=22320 -https://bugzilla.redhat.com/show_bug.cgi?id=1504804 - -And CVE-2017-15671: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671 -https://sourceware.org/bugzilla/show_bug.cgi?id=22325 -https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15671 - -Copied from upstream: - - -diff --git a/posix/glob.c b/posix/glob.c ---- a/posix/glob.c -+++ b/posix/glob.c -@@ -843,7 +843,7 @@ - *p = '\0'; - } - else -- *((char *) mempcpy (newp, dirname + 1, end_name - dirname)) -+ *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1)) - = '\0'; - user_name = newp; - } -- 2.15.0 From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 05 06:08:18 2017 Received: (at 29490) by debbugs.gnu.org; 5 Dec 2017 11:08:18 +0000 Received: from localhost ([127.0.0.1]:46450 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eMB5G-0002WI-J1 for submit@debbugs.gnu.org; Tue, 05 Dec 2017 06:08:18 -0500 Received: from hera.aquilenet.fr ([141.255.128.1]:45583) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eMB5D-0002W8-DS for 29490@debbugs.gnu.org; Tue, 05 Dec 2017 06:08:16 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 4ECB01015A; Tue, 5 Dec 2017 12:08:17 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 93koII3PYoSd; Tue, 5 Dec 2017 12:08:16 +0100 (CET) Received: from ribbon (unknown [193.50.110.211]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 6CDD71003E; Tue, 5 Dec 2017 12:08:16 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Marius Bakke Subject: Re: [bug#29490] [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671." References: <20171128170937.31110-1-mbakke@fastmail.com> Date: Tue, 05 Dec 2017 12:08:11 +0100 In-Reply-To: <20171128170937.31110-1-mbakke@fastmail.com> (Marius Bakke's message of "Tue, 28 Nov 2017 18:09:37 +0100") Message-ID: <87374pe8kk.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 29490 Cc: 29490@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Hello, Marius Bakke skribis: > These issues has been classified as minor by Debian: > > https://security-tracker.debian.org/tracker/CVE-2017-15670 > https://security-tracker.debian.org/tracker/CVE-2017-15671 > > ...and is not worth the cost of grafting and maintaining this patch. I don=E2=80=99t see Debian=E2=80=99s classification as =E2=80=9Cminor=E2=80= =9D, but I see NVD severity =E2=80=9Chigh=E2=80=9D and =E2=80=9Cmedium=E2=80=9D (I personally fail to i= magine concrete remote exploitation scenarios, but I largely lack the mental muscles for this.) Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 05 18:03:43 2017 Received: (at 29490) by debbugs.gnu.org; 5 Dec 2017 23:03:43 +0000 Received: from localhost ([127.0.0.1]:48212 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eMMFb-0008LU-HI for submit@debbugs.gnu.org; Tue, 05 Dec 2017 18:03:43 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:57773) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eMMFZ-0008LN-Tq for 29490@debbugs.gnu.org; Tue, 05 Dec 2017 18:03:42 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id CE3BF209B0; Tue, 5 Dec 2017 18:03:41 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Tue, 05 Dec 2017 18:03:41 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=KFEXLALFH367tuxnRj7jvBDEndD17TzARAHI1SUIQtM=; b=phrPf2IX FCaHb9500MtlpPgYlYIYT65zy7kWEQOfPk+mLSZ8Z3Xnxq4jjAynNNIM8lY7nIWF dz+6oZ6lCE4h1XenJFCBbqpjRHYBHT4auNvlDu6dG3TFVP78mzDqM8XzA8+qTIsr NhIooOvqdSqrpzym4NGWd11RgWVaNYVdWeuXvHATMxThzUICEePwTrHaGUHDZZAI XAQEWMeIT4iZmzoenv6jCZ2SLcI0/Oyp87opZNxF3+IHEUqV6YSST10OB+1xOFad JTWpcDmJckpMdbyH78IW3l++plynHMitfhwLUzeuf2ckirv+9soMVd5neQVPFcmW iTskq9Q23Q0gXA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=KFEXLALFH367tuxnRj7jvBDEndD17 TzARAHI1SUIQtM=; b=IHu2My6XLBWX3rI6f5r/1TMMWlwDegc6AN8Kedaokf2U9 kz0j4ozR6G5CIxFRuMQ0iHja6P4nWMNHVs6H7RK0IsYHRn138ga33TrtjFXLA+28 qhdm+TwiYUzqC859pk4vk36GfP8n/Rw04fswToqAM0pMdY0hAz9u5lqI1eCd3Q97 ofKOnp3/4gJEAMX5lreLaQAPSpeUnjwp+GOyBaMwP7ca1yNkcHtzcIvxdROC1VFO CqugW82pqFCczWhN5UvQfHI17SifUtOXfA4ScvrmBSqSXlfdwrrG6kPMbevhZsfg lbzn/bC3ihTOLukbVA8GUk0E16vwXcpld2GATXqgA== X-ME-Sender: Received: from localhost (cm-84.214.173.174.getinternet.no [84.214.173.174]) by mail.messagingengine.com (Postfix) with ESMTPA id 52204240F8; Tue, 5 Dec 2017 18:03:41 -0500 (EST) From: Marius Bakke To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#29490] [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671." In-Reply-To: <87374pe8kk.fsf@gnu.org> References: <20171128170937.31110-1-mbakke@fastmail.com> <87374pe8kk.fsf@gnu.org> User-Agent: Notmuch/0.25.2 (https://notmuchmail.org) Emacs/25.3.1 (x86_64-pc-linux-gnu) Date: Wed, 06 Dec 2017 00:03:39 +0100 Message-ID: <87zi6wydys.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 29490 Cc: 29490@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > Hello, > > Marius Bakke skribis: > >> These issues has been classified as minor by Debian: >> >> https://security-tracker.debian.org/tracker/CVE-2017-15670 >> https://security-tracker.debian.org/tracker/CVE-2017-15671 >> >> ...and is not worth the cost of grafting and maintaining this patch. > > I don=E2=80=99t see Debian=E2=80=99s classification as =E2=80=9Cminor=E2= =80=9D, but I see NVD severity > =E2=80=9Chigh=E2=80=9D and =E2=80=9Cmedium=E2=80=9D (I personally fail to= imagine concrete remote > exploitation scenarios, but I largely lack the mental muscles for this.) At the bottom of the page is the status for the stable releases, which didn't get a DSA due to being a minor issue. The recent update of glibc on core-updates included a fix for a similar problem: https://security-tracker.debian.org/tracker/CVE-2017-15671 I suppose we can graft that too, but would prefer to just drop them. We get the fixes when we merge core-updates in a few weeks anyway. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlonJcsACgkQoqBt8qM6 VPoH0Qf+JKQ6gaHehoAJIReZ9kqlmx0ooRZJ8b5KZO2ej3xth01mHGtwwcdjLyFz ox7eMF3eWQwLCnbD68Fy+uxzyeNgiOD+reZ6niAjYpTZB9M0TDtj+RnKYYT2uLB/ HgDJQT7UKLF8sizPYqG5VrqU3ETDkzGcUnvEqldG8WpiEjeYizTiT1ne7FvVdL7U 0T2GnNaEGNJaa5gcEXnLn6zCyIvdlJHCBwo2PzVik2xx5Yumkqjgj6IIgjh6+UMa +LPJEazbfOtGVU16NjlGNKtTZZHN3KRyoHknAUd8g8JPuo1kp9khv0LocRqfCZHh gZkmBwvEt/nYKjgnFJ7MUFI9hgdo0w== =zPxY -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 02 11:06:32 2018 Received: (at 29490-done) by debbugs.gnu.org; 2 Jan 2018 16:06:32 +0000 Received: from localhost ([127.0.0.1]:33309 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eWP5D-0000m0-OW for submit@debbugs.gnu.org; Tue, 02 Jan 2018 11:06:31 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:58363) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eWP5C-0000lt-0U for 29490-done@debbugs.gnu.org; Tue, 02 Jan 2018 11:06:30 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 944C320A54; Tue, 2 Jan 2018 11:06:29 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Tue, 02 Jan 2018 11:06:29 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=Uoz84bAd5g5z7pYQdJ7EurWg7jee69ZXgGHdrB/mCWg=; b=ebfDVmEE eGlajnY3h0hhG68SBVCJy6AukbXRK2P64DrZGds2ZINhA04D+Tdsb6cTQO+G8oe2 wxSNLI7lM8llrHlb74XtnyRncdqZjEzc5iFQHOdKZWyjcCB3sGWPxwG3jq+UOesH /JkzBc8bnK/qVcnjb94gq+4rvJbkbu5HorM7iVxhL3cw0Zmytx/4XnjzQy7xIeqs nskkUZ2TZV7Is+pWRAdzHC+bG8Tov0QfuRn6UAAaBSgvXcsgrKAg5I5qt6KEFUjK CUoKWLYaIKFnUcO94/59ZbXpQH7ag+GkLxU3BD00oVApw5FfvlIfXfyzB3Y45RwO znqT/hyG5LwbUw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=Uoz84bAd5g5z7pYQdJ7EurWg7jee6 9ZXgGHdrB/mCWg=; b=SSBkplk3l/BT+vyTfLiYi6NJdDO1xvamj/DFu23tY4nSH 5U+Xumt1Gmw5IAg09EW8DEDiB2CZJe9uAcDj2ryaYV+iv7GxaMCmsWFt/6f8Qg2i onx8hoIZZxuAiS7v6kMB3aAqrAXzuNop5evUk7oNqzHFd9ArnOS2QldQAk2nz5nS qBmTf8g0Wf87tcqnGoN8b2Yk6iZb8Mke6GOxYQ3yPZIk+vYPrbrWnO0uTbGopMVu VSis8OLbVvA7irkHIB8VoYvZinAR1HZqGQ8UmoPzj0Qw1h7s07UQ2WhQBoGDaALE RWBZA5pegcT/USFx1xXcRUrH9dPabAhBedsWfvheg== X-ME-Sender: Received: from localhost (cm-84.214.173.174.getinternet.no [84.214.173.174]) by mail.messagingengine.com (Postfix) with ESMTPA id 29E4F2465D; Tue, 2 Jan 2018 11:06:29 -0500 (EST) From: Marius Bakke To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#29490] [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671." In-Reply-To: <87zi6wydys.fsf@fastmail.com> References: <20171128170937.31110-1-mbakke@fastmail.com> <87374pe8kk.fsf@gnu.org> <87zi6wydys.fsf@fastmail.com> User-Agent: Notmuch/0.25.3 (https://notmuchmail.org) Emacs/25.3.1 (x86_64-pc-linux-gnu) Date: Tue, 02 Jan 2018 17:06:27 +0100 Message-ID: <87po6s9rek.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 29490-done Cc: 29490-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Marius Bakke writes: > Ludovic Court=C3=A8s writes: > >> Hello, >> >> Marius Bakke skribis: >> >>> These issues has been classified as minor by Debian: >>> >>> https://security-tracker.debian.org/tracker/CVE-2017-15670 >>> https://security-tracker.debian.org/tracker/CVE-2017-15671 >>> >>> ...and is not worth the cost of grafting and maintaining this patch. >> >> I don=E2=80=99t see Debian=E2=80=99s classification as =E2=80=9Cminor=E2= =80=9D, but I see NVD severity >> =E2=80=9Chigh=E2=80=9D and =E2=80=9Cmedium=E2=80=9D (I personally fail t= o imagine concrete remote >> exploitation scenarios, but I largely lack the mental muscles for this.) > > At the bottom of the page is the status for the stable releases, which > didn't get a DSA due to being a minor issue. > > The recent update of glibc on core-updates included a fix for a similar > problem: > > https://security-tracker.debian.org/tracker/CVE-2017-15671 > > I suppose we can graft that too, but would prefer to just drop them. We > get the fixes when we merge core-updates in a few weeks anyway. I pushed this to core-updates, since I'd rather not re-graft everything on 'master'. The 2.26 package on core-updates have these fixes anyway. This particular patch author will do a lot more research on future glibc security issues... --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlpLrgMACgkQoqBt8qM6 VPoUoAgAq5K3QQCGm7ZybEnEx6sCHAhYjFx1Qr+TyyltWpFGBXnwoikRJSNCZp3D nnN4VY/lmDKEKWKaTD0r34v6DU2kxkSB0OiLcbB4B9wMZaikB/ubNqI8cJoEblIN 7q2oSBdTW7CS46FIRlX55lIkewClCurUkgtKU6VSpPWR5dAZH2/VrxkpbeJrRTkj 8PDEpo7mVuuWkwrgWk5K1ak7+kxlIEuuqgmkvre3ZAhAOEV5VRb7s/HOJ2W4D34S UyJwJFQW1kziBBJDefwoIBNF49WQR1tp2pdwbcjFA+66ZX/LR3Ih1rMMuoDQ7AtB aRWEi3mB8vGLQI+1eCD4eIMzcmcaHg== =0G35 -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 02 17:27:29 2018 Received: (at 29490-done) by debbugs.gnu.org; 2 Jan 2018 22:27:29 +0000 Received: from localhost ([127.0.0.1]:33565 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eWV1t-00010u-5y for submit@debbugs.gnu.org; Tue, 02 Jan 2018 17:27:29 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:45253) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eWV1r-00010m-Da for 29490-done@debbugs.gnu.org; Tue, 02 Jan 2018 17:27:27 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id DA4FA106A4; Tue, 2 Jan 2018 23:27:26 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q0DOOGpLAkJJ; Tue, 2 Jan 2018 23:27:26 +0100 (CET) Received: from ribbon (ADijon-655-1-96-177.w86-218.abo.wanadoo.fr [86.218.227.177]) by hera.aquilenet.fr (Postfix) with ESMTPSA id D2FC51064F; Tue, 2 Jan 2018 23:27:25 +0100 (CET) From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Marius Bakke Subject: Re: [bug#29490] [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671." References: <20171128170937.31110-1-mbakke@fastmail.com> <87374pe8kk.fsf@gnu.org> <87zi6wydys.fsf@fastmail.com> <87po6s9rek.fsf@fastmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 13 =?utf-8?Q?Niv=C3=B4se?= an 226 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 02 Jan 2018 23:27:24 +0100 In-Reply-To: <87po6s9rek.fsf@fastmail.com> (Marius Bakke's message of "Tue, 02 Jan 2018 17:06:27 +0100") Message-ID: <87r2r7x5f7.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 29490-done Cc: 29490-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) Heya, Marius Bakke skribis: > Marius Bakke writes: > >> Ludovic Court=C3=A8s writes: >> >>> Hello, >>> >>> Marius Bakke skribis: >>> >>>> These issues has been classified as minor by Debian: >>>> >>>> https://security-tracker.debian.org/tracker/CVE-2017-15670 >>>> https://security-tracker.debian.org/tracker/CVE-2017-15671 >>>> >>>> ...and is not worth the cost of grafting and maintaining this patch. >>> >>> I don=E2=80=99t see Debian=E2=80=99s classification as =E2=80=9Cminor= =E2=80=9D, but I see NVD severity >>> =E2=80=9Chigh=E2=80=9D and =E2=80=9Cmedium=E2=80=9D (I personally fail = to imagine concrete remote >>> exploitation scenarios, but I largely lack the mental muscles for this.) >> >> At the bottom of the page is the status for the stable releases, which >> didn't get a DSA due to being a minor issue. >> >> The recent update of glibc on core-updates included a fix for a similar >> problem: >> >> https://security-tracker.debian.org/tracker/CVE-2017-15671 >> >> I suppose we can graft that too, but would prefer to just drop them. We >> get the fixes when we merge core-updates in a few weeks anyway. > > I pushed this to core-updates, since I'd rather not re-graft everything > on 'master'. The 2.26 package on core-updates have these fixes anyway. Great, thanks for keeping track of it. > This particular patch author will do a lot more research on future glibc > security issues... Heheh. :-) Ludo=E2=80=99. From unknown Mon Jun 23 04:12:35 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 31 Jan 2018 12:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator