GNU bug report logs - #66348
[PATCH RFC] gnu: glibc: Fix CVE-2023-4911.

Previous Next

Package: guix-patches;

Reported by: Liliana Marie Prikler <liliana.prikler <at> gmail.com>

Date: Wed, 4 Oct 2023 20:27:01 UTC

Severity: important

Tags: patch, security

Done: Liliana Marie Prikler <liliana.prikler <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #15 received at 66348 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Liliana Marie Prikler <liliana.prikler <at> gmail.com>
Cc: 66348 <at> debbugs.gnu.org
Subject: Re: bug#66348: [PATCH RFC] gnu: glibc: Fix CVE-2023-4911.
Date: Sat, 07 Oct 2023 00:24:16 +0200

Hi Liliana,

Liliana Marie Prikler <liliana.prikler <at> gmail.com> skribis:

> * gnu/packages/patches/glibc-2.35-CVE-2023-4911.patch: New file.
> * gnu/local.mk: Register it here.
> * gnu/packages/base.scm (glibc/fixed): New variable.
> (glibc): Use it as replacement.

I’ve tested it and it LGTM.

I found a bug where the grafted libreoffice ends up indirectly referring
to the broken libc in addition to the fixed one:

--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix build libreoffice
/gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice-7.5.4.2
$ guix gc -R /gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice-7.5.4.2|grep glibc-2.35
/gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35
/gnu/store/ln6hxqjvz6m9gdd9s97pivlqck7hzs99-glibc-2.35
$ ./pre-inst-env guix build libreoffice --no-grafts
/gnu/store/f5iibn55pm70icnk16hd4a8hwchicrvf-libreoffice-7.5.4.2
$ guix gc -R /gnu/store/f5iibn55pm70icnk16hd4a8hwchicrvf-libreoffice-7.5.4.2|grep glibc-2.35
/gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35
$ guix graph -t references --path /gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice-7.5.4.2 /gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35
/gnu/store/1v6kgw1nrccc67yqlm1pzic1y32z63xb-libreoffice-7.5.4.2
/gnu/store/y392yldk4pbk4z5q587bz5n61hzbcf4g-mariadb-10.10.2-dev
/gnu/store/cilkyfnc5fxmpviyypci3d2881ik3nih-mariadb-10.10.2-lib
/gnu/store/gsjczqir1wbz8p770zndrpw4rnppmxi3-glibc-2.35
--8<---------------cut here---------------end--------------->8---

Not a showstopper but we’ll need to investigate.

Another concern: we’ll be grafting every single package.  It hurts
performance so we may want to “ungraft” in core-updates and get it
merged soon.

Thoughts?

Ludo’.
This bug report was last modified 1 year and 222 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.