From unknown Wed Jun 18 23:10:13 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#66348 <66348@debbugs.gnu.org> To: bug#66348 <66348@debbugs.gnu.org> Subject: Status: [PATCH RFC] gnu: glibc: Fix CVE-2023-4911. Reply-To: bug#66348 <66348@debbugs.gnu.org> Date: Thu, 19 Jun 2025 06:10:13 +0000 retitle 66348 [PATCH RFC] gnu: glibc: Fix CVE-2023-4911. reassign 66348 guix-patches submitter 66348 Liliana Marie Prikler severity 66348 important tag 66348 patch security thanks From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 04 16:26:09 2023 Received: (at submit) by debbugs.gnu.org; 4 Oct 2023 20:26:09 +0000 Received: from localhost ([127.0.0.1]:45440 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qo8Rd-0002pQ-1i for submit@debbugs.gnu.org; Wed, 04 Oct 2023 16:26:09 -0400 Received: from lists.gnu.org ([2001:470:142::17]:48920) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qo8Ra-0002on-8Q for submit@debbugs.gnu.org; Wed, 04 Oct 2023 16:26:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qo8RC-0003IZ-6B for guix-patches@gnu.org; Wed, 04 Oct 2023 16:25:42 -0400 Received: from mail-ej1-x642.google.com ([2a00:1450:4864:20::642]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qo8R9-0005ly-PU; Wed, 04 Oct 2023 16:25:41 -0400 Received: by mail-ej1-x642.google.com with SMTP id a640c23a62f3a-9b27bc8b65eso42384766b.0; Wed, 04 Oct 2023 13:25:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696451134; x=1697055934; darn=gnu.org; h=mime-version:cc:to:subject:date:from:message-id:from:to:cc:subject :date:message-id:reply-to; bh=k/KnvnTjbP+jXOO7ur+FIk5JXBx+ynXq3ljG0kspxuA=; b=RrMrfrUqjaOt/9kauxiSAWui1siJrfrdlurCjcqq4QMnMRadVW0tOarkUCV7X7fC62 3oOHQf4I6TpqantAwIIv+xFhUAHzqDehln2c2ynl3eYzSCw08QGtDPpF51uSkyK6whG9 0WmRUpb92GfnswdjQgnkRhWnavzrg/m42lJOn4mTu6NsQxdVfB6nJxqgw5VT7JeSHpUT crZrIqxWVKkJ4QG0N5y1yF+Ks2tKLnncvbXQpjgA3EKl3JeO+wSwL1ETWip9Y23+PuzB 2geql4dLl1LZoJgVeADup2au0lfEueFNJNS538J8lfYJ45ZcZ4XfE8m7GAszOEB5IRsC JzKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696451134; x=1697055934; h=mime-version:cc:to:subject:date:from:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=k/KnvnTjbP+jXOO7ur+FIk5JXBx+ynXq3ljG0kspxuA=; b=VvuSPBu9ix2C8EFQeWB76VhIWZuQuOrr8WTFdaczB/EYyNl9478DY5CTf11d3s+/wh QJ42itQAyNtw6EAkb0CwxuEhhbBimvVd25eHf5p2PycFWBnASISkqVVVpbw5+YpeisgD 1gVOeAKN4vWIOXm/GpFMUMSLnLO+MTQvf7MCWbkQ8t3a1ghvE9WbXjI4tB7JPqtiyzHO kOGcvwBZmLeSIj7DqawPPWDXrIEruxIfZudMxQMDjgNumB7wT/xIkCrLkAaVas6+WHcJ NK18lKIqljsTQp6nxDVWIcEpdV3uXiB98wQ9BNasBTSZsgCL1aFcBvyYxlTuQNZKMCag Ri1A== X-Gm-Message-State: AOJu0YzLUlIyyaRs+CrNLSS5HH08+JniU2cqTto39ydKUsRg/4wL5c9P ytAG+8Wstg1iPbXS7aBEmqI7SVYv/yosqA== X-Google-Smtp-Source: AGHT+IGj377do5SANNF66i1dwKFL0uxblEWGWAKClJ48Ww/nwwSFlVZUPPB2HIUD3+vjLoMYBpIzbg== X-Received: by 2002:a17:906:cc49:b0:9a1:b967:aca9 with SMTP id mm9-20020a170906cc4900b009a1b967aca9mr2705568ejb.63.1696451134276; Wed, 04 Oct 2023 13:25:34 -0700 (PDT) Received: from lumine.fritz.box (85-127-52-93.dsl.dynamic.surfer.at. [85.127.52.93]) by smtp.gmail.com with ESMTPSA id g13-20020a170906348d00b0099bd453357esm3325087ejb.41.2023.10.04.13.25.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Oct 2023 13:25:33 -0700 (PDT) Message-ID: From: Liliana Marie Prikler Date: Wed, 4 Oct 2023 21:27:13 +0200 Subject: [PATCH RFC] gnu: glibc: Fix CVE-2023-4911. to: guix-patches@gnu.org MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::642; envelope-from=liliana.prikler@gmail.com; helo=mail-ej1-x642.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit Cc: Ludovic =?ISO-8859-1?Q?Court=E8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) * gnu/packages/patches/glibc-2.35-CVE-2023-4911.patch: New file. * gnu/local.mk: Register it here. * gnu/packages/base.scm (glibc/fixed): New variable. (glibc): Use it as replacement. --- Hi folks, you might have heard about a little bad boi called CVE-2023-4911. Stirred up some news recently. I've "backported" the fix that's currently sleeping on glibc master to our current glibc; only a test needed adjusting. I still have to verify that it works in a vm, but it appears to be rebuilding more than I anticipated, so that might take me some time. Anyway, have at it in the meantime. Cheers gnu/local.mk | 1 + gnu/packages/base.scm | 10 ++ .../patches/glibc-2.35-CVE-2023-4911.patch | 160 ++++++++++++++++++ 3 files changed, 171 insertions(+) create mode 100644 gnu/packages/patches/glibc-2.35-CVE-2023-4911.patch diff --git a/gnu/local.mk b/gnu/local.mk index 83b5268c7e..4a2c635ce6 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1275,6 +1275,7 @@ dist_patch_DATA = \ %D%/packages/patches/glibc-CVE-2019-7309.patch \ %D%/packages/patches/glibc-CVE-2019-9169.patch \ %D%/packages/patches/glibc-CVE-2019-19126.patch \ + %D%/packages/patches/glibc-2.35-CVE-2023-4911.patch \ %D%/packages/patches/glibc-allow-kernel-2.6.32.patch \ %D%/packages/patches/glibc-boot-2.16.0.patch \ %D%/packages/patches/glibc-boot-2.2.5.patch \ diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index c0813f7de0..2d8e9143cd 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -793,6 +793,7 @@ (define-public glibc (package (name "glibc") (version "2.35") + (replacement glibc/fixed) (source (origin (method url-fetch) (uri (string-append "mirror://gnu/glibc/glibc-" version ".tar.xz")) @@ -1062,6 +1063,15 @@ (define-public glibc (license lgpl2.0+) (home-page "https://www.gnu.org/software/libc/"))) +(define glibc/fixed + (package + (inherit glibc) + (source + (origin (inherit (package-source glibc)) + (patches + (append (search-patches "glibc-2.35-CVE-2023-4911.patch") + (origin-patches (package-source glibc)))))))) + ;; Define a variation of glibc which uses the default /etc/ld.so.cache, useful ;; in FHS containers. (define-public glibc-for-fhs diff --git a/gnu/packages/patches/glibc-2.35-CVE-2023-4911.patch b/gnu/packages/patches/glibc-2.35-CVE-2023-4911.patch new file mode 100644 index 0000000000..d8044f064d --- /dev/null +++ b/gnu/packages/patches/glibc-2.35-CVE-2023-4911.patch @@ -0,0 +1,160 @@ +From 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Tue, 19 Sep 2023 18:39:32 -0400 +Subject: [PATCH 1/1] tunables: Terminate if end of input is reached + (CVE-2023-4911) + +The string parsing routine may end up writing beyond bounds of tunestr +if the input tunable string is malformed, of the form name=name=val. +This gets processed twice, first as name=name=val and next as name=val, +resulting in tunestr being name=name=val:name=val, thus overflowing +tunestr. + +Terminate the parsing loop at the first instance itself so that tunestr +does not overflow. + +This also fixes up tst-env-setuid-tunables to actually handle failures +correct and add new tests to validate the fix for this CVE. + +Signed-off-by: Siddhesh Poyarekar +Reviewed-by: Carlos O'Donell +--- +Backported to 2.35 by Liliana Marie Prikler + + NEWS | 5 +++++ + elf/dl-tunables.c | 17 +++++++++------- + elf/tst-env-setuid-tunables.c | 37 +++++++++++++++++++++++++++-------- + 3 files changed, 44 insertions(+), 15 deletions(-) + +Index: glibc-2.35/NEWS +=================================================================== +--- glibc-2.35.orig/NEWS ++++ glibc-2.35/NEWS +@@ -199,6 +199,11 @@ Security related changes: + corresponds to the / directory through an unprivileged mount + namespace. Reported by Qualys. + ++ CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the ++ environment of a setuid program and NAME is valid, it may result in a ++ buffer overflow, which could be exploited to achieve escalated ++ privileges. This flaw was introduced in glibc 2.34. ++ + The following bugs are resolved with this release: + + [12889] nptl: Race condition in pthread_kill +Index: glibc-2.35/elf/dl-tunables.c +=================================================================== +--- glibc-2.35.orig/elf/dl-tunables.c ++++ glibc-2.35/elf/dl-tunables.c +@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *val + /* If we reach the end of the string before getting a valid name-value + pair, bail out. */ + if (p[len] == '\0') +- { +- if (__libc_enable_secure) +- tunestr[off] = '\0'; +- return; +- } ++ break; + + /* We did not find a valid name-value pair before encountering the + colon. */ +@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *val + } + } + +- if (p[len] != '\0') +- p += len + 1; ++ /* We reached the end while processing the tunable string. */ ++ if (p[len] == '\0') ++ break; ++ ++ p += len + 1; + } ++ ++ /* Terminate tunestr before we leave. */ ++ if (__libc_enable_secure) ++ tunestr[off] = '\0'; + } + #endif + +Index: glibc-2.35/elf/tst-env-setuid-tunables.c +=================================================================== +--- glibc-2.35.orig/elf/tst-env-setuid-tunables.c ++++ glibc-2.35/elf/tst-env-setuid-tunables.c +@@ -52,6 +52,8 @@ const char *teststrings[] = + "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", + "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096", + "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", ++ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", ++ "glibc.malloc.check=2", + "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2", + "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096", + ":glibc.malloc.garbage=2:glibc.malloc.check=1", +@@ -70,6 +72,8 @@ const char *resultstrings[] = + "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096", + "glibc.malloc.mmap_threshold=4096", + "glibc.malloc.mmap_threshold=4096", ++ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", ++ "", + "", + "", + "", +@@ -89,6 +93,8 @@ test_child (int off) + + if (val != NULL) + printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val); ++ else ++ printf ("[%d] GLIBC_TUNABLES environment variable absent\n", off); + + return 1; + #else +@@ -117,21 +123,26 @@ do_test (int argc, char **argv) + if (ret != 0) + exit (1); + +- exit (EXIT_SUCCESS); ++ /* Special return code to make sure that the child executed all the way ++ through. */ ++ exit (42); + } + else + { +- int ret = 0; +- + /* Spawn tests. */ + for (int i = 0; i < array_length (teststrings); i++) + { + char buf[INT_BUFSIZE_BOUND (int)]; + +- printf ("Spawned test for %s (%d)\n", teststrings[i], i); ++ printf ("[%d] Spawned test for %s\n", i, teststrings[i]); + snprintf (buf, sizeof (buf), "%d\n", i); ++ fflush (stdout); + if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0) +- exit (1); ++ { ++ printf (" [%d] Failed to set GLIBC_TUNABLES: %m", i); ++ support_record_failure (); ++ continue; ++ } + + int status = support_capture_subprogram_self_sgid (buf); + +@@ -139,9 +150,14 @@ do_test (int argc, char **argv) + if (WEXITSTATUS (status) == EXIT_UNSUPPORTED) + return EXIT_UNSUPPORTED; + +- ret |= status; ++ if (WEXITSTATUS (status) != 42) ++ { ++ printf (" [%d] child failed with status %d\n", i, ++ WEXITSTATUS (status)); ++ support_record_failure (); ++ } + } +- return ret; ++ return 0; + } + } + base-commit: e71864793021051cff35597abd59bb2d5649977d -- 2.41.0 From debbugs-submit-bounces@debbugs.gnu.org Thu Oct 05 01:47:18 2023 Received: (at 66348) by debbugs.gnu.org; 5 Oct 2023 05:47:18 +0000 Received: from localhost ([127.0.0.1]:45797 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qoHCf-0002Q0-Sh for submit@debbugs.gnu.org; Thu, 05 Oct 2023 01:47:18 -0400 Received: from mail-wr1-x444.google.com ([2a00:1450:4864:20::444]:47162) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qoHCd-0002Pi-OY for 66348@debbugs.gnu.org; Thu, 05 Oct 2023 01:47:16 -0400 Received: by mail-wr1-x444.google.com with SMTP id ffacd0b85a97d-31f71b25a99so605061f8f.2 for <66348@debbugs.gnu.org>; Wed, 04 Oct 2023 22:46:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696484812; x=1697089612; darn=debbugs.gnu.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject :date:message-id:reply-to; bh=c6p6tNfG2uPpgQwspI6HCtVd6jiEr+76dpGAuZixtTY=; b=DnZJ9uDMOux0oQ+aPYrp5G0d7rW7wml/6MrNURka0shTO3TMhLAdcGrLCN/AT3RHDk 0/k5OBlAA5lQ3dsV8hW+2pe9CCymD3UOE5YJTvWwjKoLtq9NEFFVpAl9P4D3w4W23nkQ +VuowcE6gsIIhpAzVnYpKVPh0ARFRyWxMIlnZBZDyU72zf+XrMWnj/bWa1HyMQSgWkqV oj0p3Le5Fkk3aVt8DLZASP9/f8gimReMEMjAjJoEQVkNiD8eDX3ONqLxSeLbIjCphGnB QSUTVPxhEVxobCONfpacm1gXsUKte6RooHuKYmJDEGZ7BHpElAV1KLAqe9j2Bzd9gMj0 3+2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696484812; x=1697089612; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=c6p6tNfG2uPpgQwspI6HCtVd6jiEr+76dpGAuZixtTY=; b=ivWpBRcSHBnLhYAK0UXIQT9Wq/C04dOz78Sb7BFrZnWNPiO8Lkf47Oi1Hrej1Y2mVs B5wrfJWTMRomVc48Tlc1DZNa24RVCQporcYQIdnSM6NJM/V/eleSbD+ogY5HGobXuBYd pve4gK/aXSSJW9nhS1lVMLv+cUNcvirhPQKoPsKxehJTOJAI+Wb3obnsiIU5rIcaSbsr i9o97tLLg5rEB/CcJ12s4E9EDKDgbrMWUMYE1GRsyRkNse0t+pXonEythPPQGga7FSI9 rMz+6TMRE/lMZRj4sj8iCWn+d8LdH1QSe4FL48c8+kkQo9AlXrN1+j+A1cCHWX2IuGwj Z+6A== X-Gm-Message-State: AOJu0Yw2g7nWTpeSBT/Kg8VTkRfjy/fJfg24t0406nTrsmoQRwbIeKpt UMvjdiqIyelwsn8bMuJF5ZxYrAse2jFnlQ== X-Google-Smtp-Source: AGHT+IEiHuQH1yCWdff8MAZCVFi8RgaXVb9x7EVKEPIz84o0mVpU08DwRLtz6c9GtfPDnaEZ01+gLw== X-Received: by 2002:a5d:6909:0:b0:321:6a61:e45a with SMTP id t9-20020a5d6909000000b003216a61e45amr4445927wru.15.1696484811767; Wed, 04 Oct 2023 22:46:51 -0700 (PDT) Received: from lumine.fritz.box (85-127-52-93.dsl.dynamic.surfer.at. [85.127.52.93]) by smtp.gmail.com with ESMTPSA id r18-20020a5d4952000000b00326b8a0e817sm855329wrs.84.2023.10.04.22.46.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Oct 2023 22:46:50 -0700 (PDT) Message-ID: Subject: Re: [PATCH RFC] gnu: glibc: Fix CVE-2023-4911. From: Liliana Marie Prikler To: 66348@debbugs.gnu.org Date: Thu, 05 Oct 2023 07:46:49 +0200 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4 MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66348 Cc: Ludovic =?ISO-8859-1?Q?Court=E8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Am Mittwoch, dem 04.10.2023 um 21:27 +0200 schrieb Liliana Marie Prikler: > * gnu/packages/patches/glibc-2.35-CVE-2023-4911.patch: New file. > * gnu/local.mk: Register it here. > * gnu/packages/base.scm (glibc/fixed): New variable. > (glibc): Use it as replacement. > --- > Hi folks, >=20 > you might have heard about a little bad boi called CVE-2023-4911. > Stirred up some news recently.=C2=A0 I've "backported" the fix that's > currently sleeping on glibc master to our current glibc; only a test > needed adjusting.=C2=A0 I still have to verify that it works in a vm, but > it appears to be rebuilding more than I anticipated, so that might > take me some time. >=20 > Anyway, have at it in the meantime. Confirmed in a VM that su no longer segfaults with this. Cheers From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 06 18:00:59 2023 Received: (at control) by debbugs.gnu.org; 6 Oct 2023 22:00:59 +0000 Received: from localhost ([127.0.0.1]:52811 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qossV-0001vg-31 for submit@debbugs.gnu.org; Fri, 06 Oct 2023 18:00:59 -0400 Received: from hera.aquilenet.fr ([2a0c:e300::1]:55680) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qossS-0001vH-UM for control@debbugs.gnu.org; Fri, 06 Oct 2023 18:00:57 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 25C16E29 for ; Sat, 7 Oct 2023 00:00:30 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at hera.aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eAlugbBUB_a1 for ; Sat, 7 Oct 2023 00:00:29 +0200 (CEST) Received: from ribbon (91-160-117-201.subs.proxad.net [91.160.117.201]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 7C23DDE3 for ; Sat, 7 Oct 2023 00:00:29 +0200 (CEST) Date: Sat, 07 Oct 2023 00:00:28 +0200 Message-Id: <87cyxrza0z.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #66348 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) severity 66348 important quit From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 06 18:00:59 2023 Received: (at control) by debbugs.gnu.org; 6 Oct 2023 22:00:59 +0000 Received: from localhost ([127.0.0.1]:52813 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qossV-0001vj-AI for submit@debbugs.gnu.org; Fri, 06 Oct 2023 18:00:59 -0400 Received: from hera.aquilenet.fr ([185.233.100.1]:49146) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qossT-0001vJ-0l for control@debbugs.gnu.org; Fri, 06 Oct 2023 18:00:57 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 06B01E87 for ; Sat, 7 Oct 2023 00:00:32 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at hera.aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SKXasmXDCULS for ; Sat, 7 Oct 2023 00:00:31 +0200 (CEST) Received: from ribbon (91-160-117-201.subs.proxad.net [91.160.117.201]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 9D2EBDE3 for ; Sat, 7 Oct 2023 00:00:31 +0200 (CEST) Date: Sat, 07 Oct 2023 00:00:31 +0200 Message-Id: <87bkdbza0w.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #66348 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) tags 66348 + security quit From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 06 18:24:47 2023 Received: (at 66348) by debbugs.gnu.org; 6 Oct 2023 22:24:48 +0000 Received: from localhost ([127.0.0.1]:52819 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qotFX-00053d-Ir for submit@debbugs.gnu.org; Fri, 06 Oct 2023 18:24:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41176) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qotFV-00053P-4Q for 66348@debbugs.gnu.org; Fri, 06 Oct 2023 18:24:46 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qotF6-0001XQ-Dv; Fri, 06 Oct 2023 18:24:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=8iHrV7a8AMe5OTGjOr4XCX1gxaKEv+IttUzkiHOxMU8=; b=fB9wIZZU61LWeFYFjZNT lO6RRzyqQ0IC1vlfT0SE69eNuDAKhbsCo5j/Jrl3yYTN1RC2WG9pejux6JbVzkoud+ZTmK0cNZVOd BOkLemn3cZT0igkxdcPH/Uuinm5IhONWXo2XcVZGrV2mNa4A7mkSzU9jN6pJCsEwwOj0Qm1iJO9ij YYLb46XuQKozohAXHz0qYNvwJzInQNftHXP1nlTvU/fzdh58hhhnxWliS/IZPW3O/NCSSMTFaeAaf 8UUWfGK1YTY5uU0kGAGHGEFWvB+CsYzgk3CCaOp3VQWyKLsieBjSJBbYa7cZt/YMyQD1aljbtz++N 9vXu66D8dobMAQ==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Liliana Marie Prikler Subject: Re: bug#66348: [PATCH RFC] gnu: glibc: Fix CVE-2023-4911. In-Reply-To: (Liliana Marie Prikler's message of "Wed, 4 Oct 2023 21:27:13 +0200") References: Date: Sat, 07 Oct 2023 00:24:16 +0200 Message-ID: <87ttr3xucv.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66348 Cc: 66348@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Liliana, Liliana Marie Prikler skribis: > * gnu/packages/patches/glibc-2.35-CVE-2023-4911.patch: New file. > * gnu/local.mk: Register it here. > * gnu/packages/base.scm (glibc/fixed): New variable. > (glibc): Use it as replacement. I=E2=80=99ve tested it and it LGTM. I found a bug where the grafted libreoffice ends up indirectly referring to the broken libc in addition to the fixed one: --8<---------------cut here---------------start------------->8--- $ ./pre-inst-env guix build libreoffice /gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice-7.5.4.2 $ guix gc -R /gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice-7.5.4.= 2|grep glibc-2.35 /gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35 /gnu/store/ln6hxqjvz6m9gdd9s97pivlqck7hzs99-glibc-2.35 $ ./pre-inst-env guix build libreoffice --no-grafts /gnu/store/f5iibn55pm70icnk16hd4a8hwchicrvf-libreoffice-7.5.4.2 $ guix gc -R /gnu/store/f5iibn55pm70icnk16hd4a8hwchicrvf-libreoffice-7.5.4.= 2|grep glibc-2.35 /gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35 $ guix graph -t references --path /gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63= xb-libreoffice-7.5.4.2 /gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.= 35 /gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice-7.5.4.2 /gnu/store/y392yldk4pbk4z5q587bz5n61hzbcf4g-mariadb-10.10.2-dev /gnu/store/cilkyfnc5fxmpviyypci3d2881ik3nih-mariadb-10.10.2-lib /gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35 --8<---------------cut here---------------end--------------->8--- Not a showstopper but we=E2=80=99ll need to investigate. Another concern: we=E2=80=99ll be grafting every single package. It hurts performance so we may want to =E2=80=9Cungraft=E2=80=9D in core-updates and= get it merged soon. Thoughts? Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 06 18:57:13 2023 Received: (at 66348) by debbugs.gnu.org; 6 Oct 2023 22:57:13 +0000 Received: from localhost ([127.0.0.1]:52855 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qotku-0005x1-OJ for submit@debbugs.gnu.org; Fri, 06 Oct 2023 18:57:13 -0400 Received: from mail-ej1-x644.google.com ([2a00:1450:4864:20::644]:49625) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qotkt-0005wn-5n for 66348@debbugs.gnu.org; Fri, 06 Oct 2023 18:57:12 -0400 Received: by mail-ej1-x644.google.com with SMTP id a640c23a62f3a-9b2cee55056so493797066b.3 for <66348@debbugs.gnu.org>; Fri, 06 Oct 2023 15:56:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696633006; x=1697237806; darn=debbugs.gnu.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject :date:message-id:reply-to; bh=JYoI3x99TrWLRxlqLVN7gz2YldMMJTCaHZ71vYPoSXw=; b=OtFR03W7ZRB6Ld3CVMuKXUOcgAfCY3/Y48cBiW+l1zGH4jT8B59q8CpQzCIjGFK/LR wHkbbgz72LgQGM7d54A4adWIWXX3CuAMH0CnF0cKiqp579WOQPXoUjKCYM7S3ic/SKBO CMaZe8rw0rg6zfRXSLJCwr5jdXrU+koaQXkyO06tOZpFh2KJeavUceQ3xsW153V76ByN 0QAOEHSXls/8jYLqIcvH3lfcIW2bJU5Q8/iUKdIumlnwSxblCRksmd4o/t8sKlcUsYky 20B7VWzPeq0SvOehPOMhMdZy8Nz9aHlJBjNDWQRIRlrnZd9AxekuqRzubbYyKs9SwjEa BYqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696633006; x=1697237806; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=JYoI3x99TrWLRxlqLVN7gz2YldMMJTCaHZ71vYPoSXw=; b=PKw7NAl6zMpYz1+eDMoqcVC6LnWIhVYdxR0MOmyFFpr3AbLkL/vtz5TaiaXCemUB9T e4uoec6d3oTKaTUBoH0jm36uikouYD7Gc4aq3K0pYybIJ/22jJIPdcZ/BG/OxkU8z+Cn bEzITCJF/tYuwtA7v+TfR7djy+nXet3SHgFN9bwJkBxRJ7yMv2cw4FvGrK0c3/tIMJKB F6Ia0DdBaQpTI58q4V3tdx61Jg8Yai7yfSZHNYQ2Hp/waF15AGiS4LVYulNe81CVLgz8 gVpiQbYMZg1gJWAo1Lxw9wGTDDoXb4pBaMXaX7sFdnpPh2m+THS7xagLAzxTXZVLhMIM IBfw== X-Gm-Message-State: AOJu0YyGsdnqEYIZOAizo0d54SxWTWkoZzcaYhb0p6IgMBEizAWsfX6W 7Xk9JHfrvWvMBipgdeXWEAg= X-Google-Smtp-Source: AGHT+IHhnJ6sifTN1anW9dJFSGo7aBwI8ZBRCZXMcJnOnt7bvZ3CzShm8PoYCb8BTLJTNp40xDI+XA== X-Received: by 2002:a17:906:32d5:b0:9ae:6388:e09b with SMTP id k21-20020a17090632d500b009ae6388e09bmr8907364ejk.40.1696633006103; Fri, 06 Oct 2023 15:56:46 -0700 (PDT) Received: from lumine.fritz.box (85-127-52-93.dsl.dynamic.surfer.at. [85.127.52.93]) by smtp.gmail.com with ESMTPSA id p8-20020a170906b20800b009a1b857e3a5sm3494282ejz.54.2023.10.06.15.56.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Oct 2023 15:56:45 -0700 (PDT) Message-ID: <604d2287350e122980db76d624af03422a0b4ec6.camel@gmail.com> Subject: Re: bug#66348: [PATCH RFC] gnu: glibc: Fix CVE-2023-4911. From: Liliana Marie Prikler To: Ludovic =?ISO-8859-1?Q?Court=E8s?= Date: Sat, 07 Oct 2023 00:56:43 +0200 In-Reply-To: <87ttr3xucv.fsf@gnu.org> References: <87ttr3xucv.fsf@gnu.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4 MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66348 Cc: 66348@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Am Samstag, dem 07.10.2023 um 00:24 +0200 schrieb Ludovic Court=C3=A8s: > Hi Liliana, >=20 > Liliana Marie Prikler skribis: >=20 > > * gnu/packages/patches/glibc-2.35-CVE-2023-4911.patch: New file. > > * gnu/local.mk: Register it here. > > * gnu/packages/base.scm (glibc/fixed): New variable. > > (glibc): Use it as replacement. >=20 > I=E2=80=99ve tested it and it LGTM. >=20 > I found a bug where the grafted libreoffice ends up indirectly > referring to the broken libc in addition to the fixed one: >=20 > --8<---------------cut here---------------start------------->8--- > $ ./pre-inst-env guix build libreoffice > /gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice-7.5.4.2 > $ guix gc -R /gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice- > 7.5.4.2|grep glibc-2.35 > /gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35 > /gnu/store/ln6hxqjvz6m9gdd9s97pivlqck7hzs99-glibc-2.35 > $ ./pre-inst-env guix build libreoffice --no-grafts > /gnu/store/f5iibn55pm70icnk16hd4a8hwchicrvf-libreoffice-7.5.4.2 > $ guix gc -R /gnu/store/f5iibn55pm70icnk16hd4a8hwchicrvf-libreoffice- > 7.5.4.2|grep glibc-2.35 > /gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35 > $ guix graph -t references --path > /gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice-7.5.4.2 > /gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35 > /gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice-7.5.4.2 > /gnu/store/y392yldk4pbk4z5q587bz5n61hzbcf4g-mariadb-10.10.2-dev > /gnu/store/cilkyfnc5fxmpviyypci3d2881ik3nih-mariadb-10.10.2-lib > /gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35 > --8<---------------cut here---------------end--------------->8--- >=20 > Not a showstopper but we=E2=80=99ll need to investigate. Eww. > Another concern: we=E2=80=99ll be grafting every single package.=C2=A0 It= hurts > performance so we may want to =E2=80=9Cungraft=E2=80=9D in core-updates a= nd get it > merged soon. >=20 > Thoughts? Is core-updates ready otherwise? If not, we might want to do a quick "ungrafting" branch before that. Cheers From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 11 17:25:27 2023 Received: (at 66348) by debbugs.gnu.org; 11 Oct 2023 21:25:27 +0000 Received: from localhost ([127.0.0.1]:40167 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qqghr-0008E3-GL for submit@debbugs.gnu.org; Wed, 11 Oct 2023 17:25:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56074) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qqghp-0008Dk-IO for 66348@debbugs.gnu.org; Wed, 11 Oct 2023 17:25:26 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qqghO-00063M-8Y; Wed, 11 Oct 2023 17:24:58 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=47Zdp/h23rwL3bB73ggNBC58rMtL8c1uuFu1/aDpjYQ=; b=cIwAn4/b6GlHzOR3pFKA 1KUHCd7fk8N4yd1gtgk2MIKDVr3shhMxQXM/G/YdypFbPvMGxVQzd2N+o46tj1iY4HAc0lTXGtg8U 0/QaoRLAwPAYaie0VV2XqAd9ku7JV4pBAjttMhZJBjkvNxqKCOjfq3ZAyuZ3Jeu8q48sRaleWTgFk 8X0sGTxycZA6cgEWcPJ+TqeyFkxFQb5Tl9KUURUlBXbyM8CtAD+KdOwPhmtsTr0BhFOFaSLLW4Oaf KEpmtUQSmfpvVesZB1/cyd0OvOF0nGWM1INCRp4i46rFK5NnEMqiyd/0mk4URb/suBJh0LQ2rqxhT yEG7gfg/REZM+w==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Liliana Marie Prikler Subject: Re: bug#66348: [PATCH RFC] gnu: glibc: Fix CVE-2023-4911. In-Reply-To: <604d2287350e122980db76d624af03422a0b4ec6.camel@gmail.com> (Liliana Marie Prikler's message of "Sat, 07 Oct 2023 00:56:43 +0200") References: <87ttr3xucv.fsf@gnu.org> <604d2287350e122980db76d624af03422a0b4ec6.camel@gmail.com> Date: Wed, 11 Oct 2023 23:24:56 +0200 Message-ID: <874jiwrgwn.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66348 Cc: 66348@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Liliana, Liliana Marie Prikler skribis: > Am Samstag, dem 07.10.2023 um 00:24 +0200 schrieb Ludovic Court=C3=A8s: [...] >> Another concern: we=E2=80=99ll be grafting every single package.=C2=A0 I= t hurts >> performance so we may want to =E2=80=9Cungraft=E2=80=9D in core-updates = and get it >> merged soon. >>=20 >> Thoughts? > Is core-updates ready otherwise? If not, we might want to do a quick > "ungrafting" branch before that. To be clear: I think this patch should go to =E2=80=98master=E2=80=99, we= =E2=80=99d rather not wait too long. As for ungrafting, yeah, maybe we=E2=80=99ll need a branch, but let=E2=80= =99s discuss that separately. Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Thu Oct 12 00:59:18 2023 Received: (at 66348-done) by debbugs.gnu.org; 12 Oct 2023 04:59:18 +0000 Received: from localhost ([127.0.0.1]:40379 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qqnn3-0008Mp-Oy for submit@debbugs.gnu.org; Thu, 12 Oct 2023 00:59:18 -0400 Received: from mail-wr1-x42c.google.com ([2a00:1450:4864:20::42c]:57757) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qqnmz-0008MX-42 for 66348-done@debbugs.gnu.org; Thu, 12 Oct 2023 00:59:16 -0400 Received: by mail-wr1-x42c.google.com with SMTP id ffacd0b85a97d-3226cc3e324so538349f8f.3 for <66348-done@debbugs.gnu.org>; Wed, 11 Oct 2023 21:58:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697086725; x=1697691525; darn=debbugs.gnu.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject :date:message-id:reply-to; bh=TgaocgIPY2FbNKuRlYL7BheUbL3gBb81jzChBkjouZM=; b=ke3WED2KmQpVSQdAoQsB+q+wAiyV/GLI//Mipc8ChFciFfIOqC9f1I1zNY3v8gVib1 ZpbG0iWwmUwe5dpuinK9oU84MN0ecteMKIsPKtzoWQCAV/wj/zxtiTHgXGYCb30VemxE 7CC0vD7K+itk8yASnc2tgv0L9FhLPyjOvV/TSyD24HbMvrIAftBva2mUsOvQBL+6itSa oUbYjJD9UNb59n41U8El6OC5Bp3GeuK0xtUQAHrUEvmN+H88dP3MMimlFyaNaawuKS/Q ZkUqx4/e4W3ZK0lG+tLNG6CqcaXkeAYJDcmxZWy2m3h+OpJFThSEOvAn987S94i9atJ/ YP2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697086725; x=1697691525; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=TgaocgIPY2FbNKuRlYL7BheUbL3gBb81jzChBkjouZM=; b=qs16SO/vkU0cmSHyuNSomAamKCg1tXnGbEU4j3A3aUh99LnzAZHGDnaeP/t/O0NM4s PYQ9AeotHGqqhnZkccx+zkrNbdfGhG+Vcgib3H8C7z1SAlcpvTXy75g1v3OqNkvMeSGV fzJJFqUwT8ugGk+KNhK9gwYsbMINqj/FSuuf9tyNYNm5KQPT9k0Pl1ZQbeKc/qZGbIYc uTplxSkUrx81Sc2ftH7EQap+k/GosyBSOFsRI7MBDznvmTVOH8ZS5QF3E+jLKcqk/kwJ Vu1VSR95QhQTUZBMFXPsZOOd3NblfebPicq2UFNwalXyZ7chMyGSyIRRmLZ0EDHTsYxc ch6A== X-Gm-Message-State: AOJu0YwugjdNxkHkuBc6tCfY/skXb+HI8q1eH0gUeYTVtauKCortTgcm +PvnRCD5o/ahvRfXHwpgLww= X-Google-Smtp-Source: AGHT+IFLLWXe2hTsNi9lsb114rIn0jdAF9+g5HqfUVAlp6OApa9h81KTz8+w55GI2NnV82dQ4Q3zqA== X-Received: by 2002:a05:6000:109:b0:319:8bd0:d18c with SMTP id o9-20020a056000010900b003198bd0d18cmr20817159wrx.52.1697086724514; Wed, 11 Oct 2023 21:58:44 -0700 (PDT) Received: from lumine.fritz.box (85-127-52-93.dsl.dynamic.surfer.at. [85.127.52.93]) by smtp.gmail.com with ESMTPSA id p11-20020a5d638b000000b00317a04131c5sm17030960wru.57.2023.10.11.21.58.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Oct 2023 21:58:43 -0700 (PDT) Message-ID: <01782ce35e0c6c5d07392060761298980a46e628.camel@gmail.com> Subject: Re: bug#66348: [PATCH RFC] gnu: glibc: Fix CVE-2023-4911. From: Liliana Marie Prikler To: Ludovic =?ISO-8859-1?Q?Court=E8s?= Date: Thu, 12 Oct 2023 06:58:36 +0200 In-Reply-To: <874jiwrgwn.fsf_-_@gnu.org> References: <87ttr3xucv.fsf@gnu.org> <604d2287350e122980db76d624af03422a0b4ec6.camel@gmail.com> <874jiwrgwn.fsf_-_@gnu.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4 MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66348-done Cc: 66348-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Am Mittwoch, dem 11.10.2023 um 23:24 +0200 schrieb Ludovic Court=C3=A8s: > Hi Liliana, >=20 > Liliana Marie Prikler skribis: >=20 > > Am Samstag, dem 07.10.2023 um 00:24 +0200 schrieb Ludovic Court=C3=A8s: >=20 > [...] >=20 > > > Another concern: we=E2=80=99ll be grafting every single package.=C2= =A0 It > > > hurts performance so we may want to =E2=80=9Cungraft=E2=80=9D in core= -updates and > > > get it merged soon. > > >=20 > > > Thoughts? > > Is core-updates ready otherwise?=C2=A0 If not, we might want to do a > > quick "ungrafting" branch before that. >=20 > To be clear: I think this patch should go to =E2=80=98master=E2=80=99, we= =E2=80=99d rather > not wait too long. Okay. Pushed to master now. > As for ungrafting, yeah, maybe we=E2=80=99ll need a branch, but let=E2=80= =99s discuss > that separately. Sure. Cheers From unknown Wed Jun 18 23:10:13 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 09 Nov 2023 12:24:10 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator