GNU bug report logs - #50698
[PATCH] WIP patches for recently-known hurd security vulnerabilities

Previous Next

Package: guix-patches;

Reported by: Maxime Devos <maximedevos <at> telenet.be>

Date: Mon, 20 Sep 2021 10:41:02 UTC

Severity: normal

Tags: patch, security

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Maxime Devos <maximedevos <at> telenet.be>
Cc: 50698 <at> debbugs.gnu.org
Subject: [bug#50698] [PATCH] WIP patches for recently-known hurd security vulnerabilities
Date: Mon, 04 Oct 2021 15:52:27 +0200

Hi Maxime,

Maxime Devos <maximedevos <at> telenet.be> skribis:

> I've tried to patch the glibc package for the problems noted at
> <https://lists.gnu.org/archive/html/bug-hurd/2021-08/msg00007.html>;.
>
> I've found two recent patches (glibc-hurd-proc-reauth.patch and
> glibc-hurd-sendmsg-SCM_CREDS.patch) that appeared relevant.  I tried
> to patch our glibc package with those patches.
>
> The modified tarball builds fine for --system=x86_64-linux, but not
> for --system=i586-gnu (tested with ./pre-inst-env guix build hello
> --system=i586-gnu).  Any idea what's happening here?

Thanks for looking into it!

> From cdf38fbfcba4c87777d7ba2175f08e877dafe86a Mon Sep 17 00:00:00 2001
> From: Maxime Devos <maximedevos <at> telenet.be>
> Date: Mon, 13 Sep 2021 11:23:21 +0200
> Subject: [PATCH] WIP gnu: glibc: New security patches.
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
>
> The existence of the vulnerabilities was noted at
> <https://lists.gnu.org/archive/html/bug-hurd/2021-08/msg00007.html>.
>
> TODO: check if these are all necessary packages for glibc.
> TODO: why does the glibc tarball build for --system=x86_64-linux but not
> for --system=i586-gnu?
>
> Build error:
> ‘patching file hurd/hurdinit.c
> Hunk #1 FAILED at 177.
> 1 out of 1 hunk FAILED -- saving rejects to file hurd/hurdinit.c.rej’
>
> but this file isn't modified by the new patches!
>
> * gnu/local.mk (dist_patch_DATA): Register new patches.
> * gnu/packages/base.scm (glibc)[replacement]: Register replacement.
>   (glibc/fixed): New variable.
> * gnu/packages/patches/glibc-hurd-proc-reauth.patch: New file.
> * gnu/packages/patches/glibc-hurd-sendmsg-SCM_CREDS.patch.

[...]

> --- a/gnu/packages/base.scm
> +++ b/gnu/packages/base.scm
> @@ -706,6 +706,7 @@ the store.")
>    (package
>     (name "glibc")
>     (version "2.31")
> +   (replacement glibc/fixed)
>     (source (origin
>              (method url-fetch)
>              (uri (string-append "mirror://gnu/glibc/glibc-" version ".tar.xz"))
> @@ -966,6 +967,12 @@ with the Linux kernel.")
>     (license lgpl2.0+)
>     (home-page "https://www.gnu.org/software/libc/")))
>  
> +(define glibc/fixed
> +  (package-with-extra-patches
> +   glibc
> +   (search-patches "glibc-hurd-sendmsg-SCM_CREDS.patch"
> +                   "glibc-hurd-proc-reauth.patch")))

Instead of a replacement, which makes no sense on GNU/Linux, could you
add a conditional phase for (hurd-target?) that applies the patches?

(On ‘core-updates’ (or ‘-frozen’?) we will apply patches
unconditionally.)

Not answering your initial question, but maybe the problem will vanish
if you do things this way, who knows.  :-)

> +++ b/gnu/packages/patches/glibc-hurd-proc-reauth.patch
> @@ -0,0 +1,114 @@
> +Index: glibc-2.31/hurd/hurdsig.c

Please add a comment explaining what this patch does, what its status
is, with a link to upstream discussions.

Thank you!

Ludo’.
This bug report was last modified 214 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.