GNU bug report logs - #29490
[PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671."

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Marius Bakke <mbakke <at> fastmail.com>
Subject: bug#29490: closed (Re: [bug#29490] [PATCH] Revert "gnu: glibc:
 Fix CVE-2017-15670, CVE-2017-15671.")
Date: Tue, 02 Jan 2018 16:07:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#29490: [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671."

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 29490 <at> debbugs.gnu.org.

-- 
29490: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=29490
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Marius Bakke <mbakke <at> fastmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 29490-done <at> debbugs.gnu.org
Subject: Re: [bug#29490] [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670,
 CVE-2017-15671."
Date: Tue, 02 Jan 2018 17:06:27 +0100

[Message part 3 (text/plain, inline)]

Marius Bakke <mbakke <at> fastmail.com> writes:

> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>> Hello,
>>
>> Marius Bakke <mbakke <at> fastmail.com> skribis:
>>
>>> These issues has been classified as minor by Debian:
>>>
>>> https://security-tracker.debian.org/tracker/CVE-2017-15670
>>> https://security-tracker.debian.org/tracker/CVE-2017-15671
>>>
>>> ...and is not worth the cost of grafting and maintaining this patch.
>>
>> I don’t see Debian’s classification as “minor”, but I see NVD severity
>> “high” and “medium” (I personally fail to imagine concrete remote
>> exploitation scenarios, but I largely lack the mental muscles for this.)
>
> At the bottom of the page is the status for the stable releases, which
> didn't get a DSA due to being a minor issue.
>
> The recent update of glibc on core-updates included a fix for a similar
> problem:
>
> https://security-tracker.debian.org/tracker/CVE-2017-15671
>
> I suppose we can graft that too, but would prefer to just drop them.  We
> get the fixes when we merge core-updates in a few weeks anyway.

I pushed this to core-updates, since I'd rather not re-graft everything
on 'master'.  The 2.26 package on core-updates have these fixes anyway.

This particular patch author will do a lot more research on future glibc
security issues...

[signature.asc (application/pgp-signature, inline)]

[Message part 5 (message/rfc822, inline)]

From: Marius Bakke <mbakke <at> fastmail.com>
To: guix-patches <at> gnu.org
Cc: Marius Bakke <mbakke <at> fastmail.com>
Subject: [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671."
Date: Tue, 28 Nov 2017 18:09:37 +0100

These issues has been classified as minor by Debian:

https://security-tracker.debian.org/tracker/CVE-2017-15670
https://security-tracker.debian.org/tracker/CVE-2017-15671

...and is not worth the cost of grafting and maintaining this patch.

This reverts commit 60e29339d8389e678bb9ca4bd3420ee9ee88bdf2.
---
 gnu/local.mk                                       |  1 -
 gnu/packages/base.scm                              | 13 -----------
 .../patches/glibc-CVE-2017-15670-15671.patch       | 27 ----------------------
 3 files changed, 41 deletions(-)
 delete mode 100644 gnu/packages/patches/glibc-CVE-2017-15670-15671.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 0a46bfd3d..7b2fb7c7a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -682,7 +682,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/glibc-CVE-2017-1000366-pt1.patch		\
   %D%/packages/patches/glibc-CVE-2017-1000366-pt2.patch		\
   %D%/packages/patches/glibc-CVE-2017-1000366-pt3.patch		\
-  %D%/packages/patches/glibc-CVE-2017-15670-15671.patch		\
   %D%/packages/patches/glibc-bootstrap-system.patch		\
   %D%/packages/patches/glibc-ldd-x86_64.patch			\
   %D%/packages/patches/glibc-locales.patch			\
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 9cb628d8d..bc745351a 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -528,7 +528,6 @@ store.")
   (package
    (name "glibc")
    (version "2.25")
-   (replacement glibc/fixed)
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/glibc/glibc-"
@@ -787,15 +786,6 @@ GLIBC/HURD for a Hurd host"
 (define-syntax glibc
   (identifier-syntax (glibc-for-target)))
 
-(define glibc/fixed
-  (package
-    (inherit glibc)
-    (source (origin
-              (inherit (package-source glibc))
-              (patches (append
-                        (origin-patches (package-source glibc))
-                        (search-patches "glibc-CVE-2017-15670-15671.patch")))))))
-
 ;; Below are old libc versions, which we use mostly to build locale data in
 ;; the old format (which the new libc cannot cope with.)
 
@@ -815,7 +805,6 @@ GLIBC/HURD for a Hurd host"
                                        "glibc-o-largefile.patch"
                                        "glibc-vectorized-strcspn-guards.patch"
                                        "glibc-CVE-2015-5180.patch"
-                                       "glibc-CVE-2017-15670-15671.patch"
                                        "glibc-CVE-2017-1000366-pt1.patch"
                                        "glibc-CVE-2017-1000366-pt2.patch"
                                        "glibc-CVE-2017-1000366-pt3.patch"))))))
@@ -839,7 +828,6 @@ GLIBC/HURD for a Hurd host"
                                        "glibc-CVE-2016-3075.patch"
                                        "glibc-CVE-2016-3706.patch"
                                        "glibc-CVE-2016-4429.patch"
-                                       "glibc-CVE-2017-15670-15671.patch"
                                        "glibc-CVE-2017-1000366-pt1.patch"
                                        "glibc-CVE-2017-1000366-pt2.patch"
                                        "glibc-CVE-2017-1000366-pt3.patch"))))))
@@ -862,7 +850,6 @@ GLIBC/HURD for a Hurd host"
                                        "glibc-CVE-2016-3075.patch"
                                        "glibc-CVE-2016-3706.patch"
                                        "glibc-CVE-2016-4429.patch"
-                                       "glibc-CVE-2017-15670-15671.patch"
                                        "glibc-CVE-2017-1000366-pt1.patch"
                                        "glibc-CVE-2017-1000366-pt2.patch"
                                        "glibc-CVE-2017-1000366-pt3.patch"))))
diff --git a/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch b/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch
deleted file mode 100644
index 76d688c51..000000000
--- a/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Fix CVE-2017-15670:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670
-https://sourceware.org/bugzilla/show_bug.cgi?id=22320
-https://bugzilla.redhat.com/show_bug.cgi?id=1504804
-
-And CVE-2017-15671:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671
-https://sourceware.org/bugzilla/show_bug.cgi?id=22325
-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15671
-
-Copied from upstream:
-<https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=2d1bd71ec70a31b01d01b734faa66bb1ed28961f>
-
-diff --git a/posix/glob.c b/posix/glob.c
---- a/posix/glob.c
-+++ b/posix/glob.c
-@@ -843,7 +843,7 @@
- 		  *p = '\0';
- 		}
- 	      else
--		*((char *) mempcpy (newp, dirname + 1, end_name - dirname))
-+		*((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
- 		  = '\0';
- 	      user_name = newp;
- 	    }
-- 
2.15.0

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.