From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 26 02:45:31 2024 Received: (at submit) by debbugs.gnu.org; 26 Apr 2024 06:45:31 +0000 Received: from localhost ([127.0.0.1]:33648 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s0FKs-0007I5-MB for submit@debbugs.gnu.org; Fri, 26 Apr 2024 02:45:31 -0400 Received: from lists.gnu.org ([2001:470:142::17]:59610) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s0FKq-0007GL-76 for submit@debbugs.gnu.org; Fri, 26 Apr 2024 02:45:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s0FKP-0007Xb-E2 for bug-guix@gnu.org; Fri, 26 Apr 2024 02:45:01 -0400 Received: from tem.loang.net ([2a03:3b40:100::1:2]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1s0FKN-0004TU-Jx for bug-guix@gnu.org; Fri, 26 Apr 2024 02:45:01 -0400 DKIM-Signature: a=rsa-sha256; bh=D8uAUsG5rzYaKX3jUZL5JknVpaDuuKM9HneVWiP5Y5k=; c=relaxed/relaxed; d=loang.net; h=Subject:Subject:Sender:To:To:Cc:From:From:Date:Date:MIME-Version:MIME-Version:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Reply-To:In-Reply-To:Message-Id:Message-Id:References:Autocrypt:Openpgp; i=@loang.net; s=default; t=1714113892; v=1; x=1714545892; b=OwYJSxppqBcz3exTR3jxl6tG2Icl/SJOjaXXEg23WWBJ6UQvqP7Zfcjk/dhnOKUTSi0KUyaN S9pj4c5oRj+srP2I0qBQBXui1KYW01FO9b0r6BCgGDETwuKSBA43VLMHQXweZMCPeXxZr1qZTwh Mb8AxT7BwEdZ0NEg4/Iadg2lGdeVd1trlVekt/yVobR+SYnn616dUUzZ3pHNPWQ7HrW2fH+5vL4 8Fd20q6l8VNkMd4sX49MIIGwfL14JUc6Psmv5r5UeMNgOSRpZDCzmcHYtwg54StBqC3ISBKOhlw fJAyoQT6aqA06RoZ/I2b9NDxuT71eTMWy1hRIeHpOaYKQ== Received: by tem.loang.net (envelope-sender ) with ESMTPS id 6b865c07; Fri, 26 Apr 2024 06:44:52 +0000 Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Fri, 26 Apr 2024 15:44:50 +0900 Subject: PHP, glibc, and CVE-2024-2961 To: From: "McSinyx" Message-Id: X-Mailer: aerc 0.15.2 Received-SPF: pass client-ip=2a03:3b40:100::1:2; envelope-from=cnx@loang.net; helo=tem.loang.net X-Spam_score_int: -13 X-Spam_score: -1.4 X-Spam_bar: - X-Spam_report: (-1.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_SOFTFAIL=0.732, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Hello Guix, Last week, an overflow bug in glibc's iconv(3) was discovered: https://www.openwall.com/lists/oss-security/2024/04/17/9 It may enable remove code execution through PHP. Due to the immutable nature of Guix, is it possible to hotpatch this using graft, or do we need to rebuild to world? https://rockylinux.org/news/glibc-vulnerability-april-2024/ Kind regards, McSinyx From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 26 03:21:27 2024 Received: (at 70581) by debbugs.gnu.org; 26 Apr 2024 07:21:29 +0000 Received: from localhost ([127.0.0.1]:33699 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s0Ftb-0005dm-GV for submit@debbugs.gnu.org; Fri, 26 Apr 2024 03:21:27 -0400 Received: from mailrelay.tugraz.at ([129.27.2.202]:47143) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s0FtU-0005bt-ES for 70581@debbugs.gnu.org; Fri, 26 Apr 2024 03:21:19 -0400 Received: from lprikler-laptop.ist.intra (gw.ist.tugraz.at [129.27.202.101]) by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4VQkfG5LhFz3wVN; Fri, 26 Apr 2024 09:20:54 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1714116054; bh=h84lli2d5A0xciX7CQDu3WuyE+LLyQPGj7QnvLpfVMk=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=ji4TB7q7HPizZBYX+W92g4rLV1gzYgbRBgoLn0QLI5qnueNxqEC1eYuUVRvJ/CjSV nQ69ihXoAFa3CiBZVy9bIhiQRpoo32Ga38sBenVchtU7MzG8kdA1WqZs1BF15ovi3B aE03K0JBPY7OJV1fPM0047m3pZYJVKd96TXLQz7g= Message-ID: Subject: Re: PHP, glibc, and CVE-2024-2961 From: Liliana Marie Prikler To: McSinyx , 70581@debbugs.gnu.org Date: Fri, 26 Apr 2024 09:20:53 +0200 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.48.4 MIME-Version: 1.0 X-TUG-Backscatter-control: waObeELIUl4ypBWmcn/8wQ X-Spam-Scanner: SpamAssassin 3.003001 X-Spam-Score-relay: -1.9 X-Scanned-By: MIMEDefang 2.74 on 129.27.10.117 X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 70581 Cc: guix-security@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi McSinyx, security-relevant bugs ought to go to , see [1]. Since a patch exists for glibc all the way back to 2.30, I suppose a graft can be used and should be performed timely.=20 Cheers [1] https://guix.gnu.org/en/security/ From debbugs-submit-bounces@debbugs.gnu.org Sat May 25 05:12:22 2024 Received: (at control) by debbugs.gnu.org; 25 May 2024 09:12:22 +0000 Received: from localhost ([127.0.0.1]:42260 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sAnRt-00025D-U7 for submit@debbugs.gnu.org; Sat, 25 May 2024 05:12:22 -0400 Received: from eggs.gnu.org ([209.51.188.92]:47790) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sAnRt-000255-1E for control@debbugs.gnu.org; Sat, 25 May 2024 05:12:21 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sAnRf-00083t-AA for control@debbugs.gnu.org; Sat, 25 May 2024 05:12:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-version:Subject:From:To:Date:in-reply-to: references; bh=5V4TnFasRg5OO2/eypzBOU2ciDtdxXriAg9/Xx8+iH8=; b=nddWsBzm7QG4mw fEQB27sY1IY3x3/gj9JXWO7EQ9EtwRAESU5jRW90uVbXF6gXq8wx9Y99JoeUF3pZ2Y6PWobWxk5uf OCgcafGs2RhJ+qMekVjqyJbzwFhWUxEtfFI24dMwbRrhFtMiA5z+xknF+cSQjtjzzcZwrOhHFmHuL +sZhlIiZgEmfrxExuGHUCueAtCZLxnb7BTx0Tt9uou1x/QQyBhwuIklKhgMEWIXjI8vlFk21raha8 /z/1eks3of9GmMfsXQJqxQroCwhanmO57bForZBnaJXmhzfUQf3AQ3Li4jctbTbZZktJjWMdP5gg7 cXdnP56wfMipNnqEokSw==; Date: Sat, 25 May 2024 11:12:04 +0200 Message-Id: <877cfi45nf.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #70581 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) tags 70581 + security quit From debbugs-submit-bounces@debbugs.gnu.org Sat Dec 14 09:22:18 2024 Received: (at 70581) by debbugs.gnu.org; 14 Dec 2024 14:22:18 +0000 Received: from localhost ([127.0.0.1]:46009 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tMT28-0003ri-Kk for submit@debbugs.gnu.org; Sat, 14 Dec 2024 09:22:17 -0500 Received: from mail-pf1-f177.google.com ([209.85.210.177]:55390) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tMT24-0003rY-ET for 70581@debbugs.gnu.org; Sat, 14 Dec 2024 09:22:14 -0500 Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-728eedfca37so2861724b3a.2 for <70581@debbugs.gnu.org>; Sat, 14 Dec 2024 06:22:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1734186070; x=1734790870; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=a6ONGS/XN5v5g3tzv3YNrp0n1iqNL6hytVVZY2DVRDg=; b=HZAazOK2T6blBbkX7YVWIWvRRH0tk97MDJCRBOC2H8Mi6UID40olFK7+I55paX3kNd mGxAoARZ3Hp4dVVGOnp7dRyipWUu2k3N+YdenTkIslrDggTpQXlOv5rCxluT7G0M1z3D BHSIS0JZrDludtMK7cF5ST6c058ODtKEPyhhthqOeN93Hti8hmq+Swxxeh2upxMw1yg3 nhHro/yYJhYh6Kxyex4g1x1PbEph1ZOqFq/2/HL4cJEN9BIa3NsY9BQwd/uBx2fjrgRb 0PMbgaxf42s/4ZRyXfhYo9bYkJm7eoi/S0i9xEiZHgQZTzhmyeYc1qUXW0uTbwqius+r sNQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734186070; x=1734790870; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=a6ONGS/XN5v5g3tzv3YNrp0n1iqNL6hytVVZY2DVRDg=; b=YgQcJhEBYKX2qzLrkym3mXjDCAcCbPc4+SLYIwaMeNzRneruL5p3j+EgkID7/ZkqYA g8ZW7S9mrijJViv6wfnrjbll/q3FlXc5RT0TfcCo3kgtLnVbVyl/7cxuuy5ktazNYVfR IBqre76ZdYbT+8r6NfQP2/jcB+T/rR/zkQaYeb1DSx1X9amnGNWrtTIshGTWbztd1Tzp CrSlJIDmPS0tXmDkiMnsLCdqB+aNuxJuX7v1cUIlK++Aw2bfXFeFElLaujz1tujVgpcU syDHA7hYsDIa6PaiXzrazYD2S5lO12ZCDmb4Sp5yG/k/nLGFbOuJr/B+Gg/M+B+f3vSX r15w== X-Gm-Message-State: AOJu0YyMlUt3cmER3oAqvUIaXmagpGmb5CVxVgeVkptHN3t4Rmep7VoM 8TJrueim1muyZdR7dzNukpc8vKCqnjr04+3mKuT2JOBGEiomcxnbuI+L1A== X-Gm-Gg: ASbGncv4YuZ7Yxc2yaNapio1ob8sXtyztYJiOoSEP4yUqUd4g+ONKmyn7TCz5D/Azrr isyD6qormCPkiRSrPluResHCnnZeWbmJHR0twQZhgAKk0X0JRTAhQBn8Yij2O3WBGpY8LtlLpFH VOtfUT8QnsPzkimxCKQ9eUGALOuMXK2Dn8zcq/x/5wmRDxb4/aLM1lvRrearUfipff6kEWnU7Ru JRGieua40cUqZnT3Tz6eRllCrCQrVEKvHP7mlgFW/OmfjxG8g2duAHH4g2+Pt/sgchcgtw2tlI= X-Google-Smtp-Source: AGHT+IHdBW7TGV6OWMRhkckdJh3ixGuyyLBLAZm4x/IQPrBEdAY7SlGQ58oWl6YBr6aUtW5H9beryw== X-Received: by 2002:a05:6a20:3947:b0:1e0:c8d9:3382 with SMTP id adf61e73a8af0-1e1dfe6a67bmr9192679637.45.1734186069979; Sat, 14 Dec 2024 06:21:09 -0800 (PST) Received: from localhost.localdomain ([2405:6586:be0:0:c8ff:1707:9b9:af89]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72918ad5c07sm1514516b3a.60.2024.12.14.06.21.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 14 Dec 2024 06:21:09 -0800 (PST) From: Maxim Cournoyer To: 70581@debbugs.gnu.org Subject: [PATCH] gnu: glibc: Graft with fix for CVE-2024-2961. Date: Sat, 14 Dec 2024 23:20:53 +0900 Message-ID: X-Mailer: git-send-email 2.46.0 MIME-Version: 1.0 X-Debbugs-Cc: McSinyx , Liliana Marie Prikler , Ludovic Courtès , Andreas Enge , Janneke Nieuwenhuizen Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 70581 Cc: Maxim Cournoyer , guix-security@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/packages/base.scm (%glibc-patches): New variable. (glibc) [source]: Use it. [properties]: Mark CVE-2024-2961 as hidden (resolved). [replacement]: Add field to graft with... (glibc/fixed): ... this new package. Fixes: Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9 --- gnu/packages/base.scm | 55 ++++++++++++++++++++++++++++++++----------- 1 file changed, 41 insertions(+), 14 deletions(-) diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index b3f54798c4..a060ed556d 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -878,6 +878,21 @@ (define* (make-ld-wrapper name #:key (home-page "https://www.gnu.org/software/guix//") (license gpl3+))) +(define %glibc-patches + (list "glibc-2.39-git-updates.patch" + "glibc-ldd-powerpc.patch" + "glibc-2.38-ldd-x86_64.patch" + "glibc-dl-cache.patch" + "glibc-2.37-versioned-locpath.patch" + ;; "glibc-allow-kernel-2.6.32.patch" + "glibc-reinstate-prlimit64-fallback.patch" + "glibc-supported-locales.patch" + "glibc-2.37-hurd-clock_t_centiseconds.patch" + "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch" + "glibc-hurd-mach-print.patch" + "glibc-hurd-gettyent.patch" + "glibc-hurd-getauxval.patch")) + (define-public glibc ;; This is the GNU C Library, used on GNU/Linux and GNU/Hurd. Prior to ;; version 2.28, GNU/Hurd used a different glibc branch. @@ -890,21 +905,11 @@ (define-public glibc (sha256 (base32 "09nrwb0ksbah9k35jchd28xxp2hidilqdgz7b8v5f30pz1yd8yzp")) - (patches (search-patches "glibc-2.39-git-updates.patch" - "glibc-ldd-powerpc.patch" - "glibc-2.38-ldd-x86_64.patch" - "glibc-dl-cache.patch" - "glibc-2.37-versioned-locpath.patch" - ;; "glibc-allow-kernel-2.6.32.patch" - "glibc-reinstate-prlimit64-fallback.patch" - "glibc-supported-locales.patch" - "glibc-2.37-hurd-clock_t_centiseconds.patch" - "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch" - "glibc-hurd-mach-print.patch" - "glibc-hurd-gettyent.patch" - "glibc-hurd-getauxval.patch")))) - (properties `((lint-hidden-cve . ("CVE-2024-33601" "CVE-2024-33602" + (patches (map search-patch %glibc-patches)))) + (properties `((lint-hidden-cve . ("CVE-2024-2961" + "CVE-2024-33601" "CVE-2024-33602" "CVE-2024-33600" "CVE-2024-33599")))) + (replacement glibc/fixed) (build-system gnu-build-system) ;; Glibc's refers to , for instance, so glibc @@ -1182,6 +1187,28 @@ (define-public glibc (license lgpl2.0+) (home-page "https://www.gnu.org/software/libc/"))) +(define glibc/fixed + (package + (inherit glibc) + (name "glibc") + (version (package-version glibc)) + (source (origin + (method git-fetch) + (uri (git-reference + (url "git://sourceware.org/git/glibc.git") + ;; This is the latest commit from the + ;; 'release/2.39/master' branch, where CVEs and other + ;; important bug fixes are cherry picked. + (commit "2c882bf9c15d206aaf04766d1b8e3ae5b1002cc2"))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "111yf24g0qcfcxywfzrilmjxysahlbkzxfimcz9rq8p00qzvvf51")) + (patches (map search-patch + (fold (cut delete <...>) + %glibc-patches + '("glibc-2.39-git-updates.patch")))))))) + ;; Define a variation of glibc which uses the default /etc/ld.so.cache, useful ;; in FHS containers. (define-public glibc-for-fhs base-commit: 93e1586116f39a30ba1fcb67bd839a43533dfaf4 -- 2.46.0 From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 18 02:32:54 2024 Received: (at 70581-done) by debbugs.gnu.org; 18 Dec 2024 07:32:54 +0000 Received: from localhost ([127.0.0.1]:33207 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tNoY9-0002XO-Lc for submit@debbugs.gnu.org; Wed, 18 Dec 2024 02:32:53 -0500 Received: from mail-qk1-f174.google.com ([209.85.222.174]:42270) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tNoY7-0002XF-L6 for 70581-done@debbugs.gnu.org; Wed, 18 Dec 2024 02:32:52 -0500 Received: by mail-qk1-f174.google.com with SMTP id af79cd13be357-7b6ef047e9bso40812185a.1 for <70581-done@debbugs.gnu.org>; Tue, 17 Dec 2024 23:32:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1734507111; x=1735111911; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=xq/Fc7Z+/1+WafWZh3YkBk027fSVKZOjH4uhNEe0atY=; b=SIk3IDhjyhe2vFu8A1v3vihYTXb72K53ut7WOm63zxMDK2pCST5IudTNiDyp7Fn6Is 5nWGNObGnx8K0i8P33KwwT2De+JRwucjMPo/BJeE12yoNCGEdBxeCMSaX1nVdMGqnOCo qJNcB7cioqYg0wgdy6RFA5ipum0EYQjpLJBtanXcgPKykGImRXIJvOEqPMRG+CRkXMn2 mm4h2Q/iXt7sXBOQGsCswaeezN35zrcCna9kkDI7UrgsS1ImkAmryxont1HPF8T7Bewh MiWUJtVH+pyMKqcWLT0dWM2eQ+rGfwONltRn63fbmLLbzgHJc7rV7zKGMDkGjQxeDOL/ CGXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734507111; x=1735111911; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=xq/Fc7Z+/1+WafWZh3YkBk027fSVKZOjH4uhNEe0atY=; b=snxZWK2IwdloJyoHlkvlmUfG/pC8AXIMAD+2HA9hzpXmhwGtechyOQLC/ofFi3tq0h LpPeT8V8G+AfzmMVJ/XXyJdd+O6VFPThp9imjfzfoBF8xXpEfxUrW0/S3c5XgKXdTeEa 3RgliquDA6KcnFY6JgZ8IuH4ymzeRz52ZPk3MLkpAKZIZDkbl2XCeOTOV6OAYroZluFQ 4etS4kJjRjuZFtoekMDdEjsC44EM2tTh45WV8l+T/NmmwBS4rix+8T2g/3Y+gmDOWLN/ y/nlD02D7tEgdeB2HpeWFg1xnsb0PPz9AH1ru5INt+rlGP0IgJqEfzOd+Pf8CYip1oyG cJ7g== X-Gm-Message-State: AOJu0Ywrs8QlTgJ7wvqcYTtrDDvz9a+ISoFycPi6mSEK5sAtUbks+Z93 K7Nzi/9Yr+WUyBBhJVlXINK0mLYjwePqO4GIpkQ4UmRWxF8S/ptNwjKDTmUcpLA= X-Gm-Gg: ASbGncvzKkl63ClEHp7UN40FOEA4QyyJC7El4+DUBuL76XBYUGFVej6leH8w8qH42Rf feOWSM9C+rbcAaMfwDzRx/s1HyxOIfgYggZN7iWUeFOoaeV6cs19C6Fgp0fef8hrYS+3JwCBy5/ btljBce23zcB4LDeKFADFTdF5p9/EzchtnwyFdeNavy7aAxntgcxhy4DXRns+alKlSwP3Os+Qkw jTrn/nThwbEZ7CgyUBhgm39EIQEJWlal7AUgaCI8bqkwHFslDr8i8snsl5Y8SOLDjnNRUZQ4Fq0 Fw== X-Google-Smtp-Source: AGHT+IFC9aqn+ROmbqk5ZOs7IrUXArIgUtF156hVSMnCCy2FEC2UOu/6rUiC/lCurYAX/mMgPN8/SA== X-Received: by 2002:a05:620a:28c9:b0:7b6:eba3:2dfb with SMTP id af79cd13be357-7b8635fe7a8mr302248485a.16.1734507111073; Tue, 17 Dec 2024 23:31:51 -0800 (PST) Received: from terra (vps-6234970c.vps.ovh.ca. [51.222.13.224]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7b7047f3f5dsm399499085a.66.2024.12.17.23.31.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Dec 2024 23:31:49 -0800 (PST) From: Maxim Cournoyer To: 70581-done@debbugs.gnu.org Subject: Re: bug#70581: PHP, glibc, and CVE-2024-2961 In-Reply-To: (Maxim Cournoyer's message of "Sat, 14 Dec 2024 23:20:53 +0900") References: Date: Wed, 18 Dec 2024 16:31:37 +0900 Message-ID: <87a5ctphuu.fsf_-_@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 70581-done Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= , guix-security@gnu.org, Liliana Marie Prikler , Andreas Enge , McSinyx , Janneke Nieuwenhuizen X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Maxim Cournoyer writes: > * gnu/packages/base.scm (%glibc-patches): New variable. > (glibc) [source]: Use it. > [properties]: Mark CVE-2024-2961 as hidden (resolved). > [replacement]: Add field to graft with... > (glibc/fixed): ... this new package. > > Fixes: > Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9 Applied. -- Thanks, Maxim From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 18 05:08:47 2024 Received: (at 70581) by debbugs.gnu.org; 18 Dec 2024 10:08:47 +0000 Received: from localhost ([127.0.0.1]:33480 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tNqz1-0001sS-5U for submit@debbugs.gnu.org; Wed, 18 Dec 2024 05:08:47 -0500 Received: from eggs.gnu.org ([209.51.188.92]:41926) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tNqyv-0001sA-Bt for 70581@debbugs.gnu.org; Wed, 18 Dec 2024 05:08:46 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tNqyj-0003EK-Qz; Wed, 18 Dec 2024 05:08:29 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=XTgotAnTnaLN2lqDtMh28HSWsxkkLRygfueBLJgdztw=; b=EeW2FiBr2rK2Ywob4OiZ ODVMPyT3n2/rfipIAG8EuXaAhoOqJvV5J8DMsNHIWCAgPLhdasmOBxqDlxGcFJ6KPY2tHkdGrvUB9 a7XHiN4adOLxcRgAEh6lzvtbTL1JVTJmOCcSbSXnwhgTyUDk+blJN5AJy462pTuI/zIyJRdpxgF6O x2B9wfSXmsVTrI5uI8DpuF1wl43JrWfzZKS/tmfPOY/ouM3EVIGptWGJyR/6GlNUjzpa4KDvajfsw oXviOWqnqs/Fhoxe2qHFwBFmfsrpaMvnP93Jl4e9Z4q463aUCTd934gEJdD9oByFLHsw5YBQq45LD 1CMvoPSm9F/K7A==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxim Cournoyer Subject: Re: bug#70581: PHP, glibc, and CVE-2024-2961 In-Reply-To: (Maxim Cournoyer's message of "Sat, 14 Dec 2024 23:20:53 +0900") References: Date: Wed, 18 Dec 2024 11:07:48 +0100 Message-ID: <87bjx9nw23.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 70581 Cc: guix-security@gnu.org, Liliana Marie Prikler , Andreas Enge , 70581@debbugs.gnu.org, McSinyx , Janneke Nieuwenhuizen X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Maxim Cournoyer skribis: > * gnu/packages/base.scm (%glibc-patches): New variable. > (glibc) [source]: Use it. > [properties]: Mark CVE-2024-2961 as hidden (resolved). > [replacement]: Add field to graft with... > (glibc/fixed): ... this new package. > > Fixes: > Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9 I=E2=80=99m late to the party, apologies! (I was Cc=E2=80=99d, despite bein= g on =E2=80=98core-packages=E2=80=99, weird.) > + (patches (map search-patch > + (fold (cut delete <...>) > + %glibc-patches > + '("glibc-2.39-git-updates.patch"))))))= )) Or: (delete "glibc-2.39-git-updates.patch" (search-patches %glibc-patches)). Thank you! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 18 21:27:13 2024 Received: (at 70581) by debbugs.gnu.org; 19 Dec 2024 02:27:13 +0000 Received: from localhost ([127.0.0.1]:36784 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tO6Ft-00008F-3o for submit@debbugs.gnu.org; Wed, 18 Dec 2024 21:27:13 -0500 Received: from mail-pg1-f176.google.com ([209.85.215.176]:50526) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tO6Fq-00007y-J6 for 70581@debbugs.gnu.org; Wed, 18 Dec 2024 21:27:11 -0500 Received: by mail-pg1-f176.google.com with SMTP id 41be03b00d2f7-8019f048bc7so138139a12.1 for <70581@debbugs.gnu.org>; Wed, 18 Dec 2024 18:27:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1734575165; x=1735179965; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=AgZBtrbO4j6+U5dqgZomN2NJ9x0IkP5PQAem8vO/rIE=; b=gN04BbpPtUbCIekljLlO0ZccQ5O39oHK5ezMMbWFULzn7cOPggUhX4IoD2vHlcS2s5 7wZj4Em0OsPmpF+aRErJsjzcl3yTyPjbx0vjHS2llnlPw7JN1Og+yzMCuQKV0Wn+eW7X DuZ438temo6gMVUqbOOPKvEgxdDOm9F+S1vVlhx4rh/CFkP43d6LNuhJ3tmAiYsmFsJI wpejw+SO8I0h6JKJiZ4LioIckM6m+tOKVg+duG5Dqa6yrJ1wnpmtpJUM3xzEwCC9WqME nCuMNTQoJZLj3JJBwS+MShCA0RAl3tjtstGBm0uf8Dqy1m4JGukqgVQ5eTkQ2KriovKP PZsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734575165; x=1735179965; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=AgZBtrbO4j6+U5dqgZomN2NJ9x0IkP5PQAem8vO/rIE=; b=M92gbuadkCDnBrcpDpjjnrxNJgo+hsKxsGxqwXoS1n7j7j2xFRbWxJbo8re72wqswG 3jgyoxnDxgTs+wt7uLPSug9rVMGPgjsu6Ud+SjErmgkmblnkaHwAZfdekYnFOYDO5utn kwhZWKh9VuByTKMMscU4QsR9cLmfFPote6kL5VETsGTOySwYjQcvdGMmuf0wu8thfQps BukUBZGlY3HyW7hQ8ohVG4sTCbqJWJjVgbF1xBWc11BHFy8Sdbmj3+Vl+dMq12FqCXac njMrKnM17TvatJUuonS/cwSj/0eBDdbQxxCIefxuWMUPz3sGVXpgHHKvZVGZGyBDnBs0 gEkg== X-Gm-Message-State: AOJu0YxfTJzwHu9rG7KVXHjfFx3eEnZxOG6XhnIvFIB7VQPrBILgF7Ej YvDOrkvR2/4/TK8dOwjksBP/09ID7mcOnrxx6+vebLQZVWwL14MB X-Gm-Gg: ASbGncsedP7aEX39kdA7FaB4SiqN90YjZoBu4D69327qkqMhtQE9g5bzo8M2lxSml1+ JK8B4YQt1+PunnQ3zhzhtSvjJmBOw0WcPtd2coQYyf8VTRa7GgjV5MJ8K8iUuSzRjCS4noc8QcL LDUL4trhDDTQJh+wtcU7BeqxV8Gjr363pkAbU7w2zm1qQd900OgjkSYPuIlt8f285pTRQDBwWJE qr6NSC8qFe1+EPz9Jd+HZzlf1jFpCShJrzZko3RQYSGMCD5RfCtsA== X-Google-Smtp-Source: AGHT+IGug1f0NvwZ8H5bGfe9zX5bg/o6Wxohz4gSrVtNs1hHxoY22BMdR/F9xMlqOmesBmocuu/giQ== X-Received: by 2002:a17:90b:4ecf:b0:2ee:c5ea:bd91 with SMTP id 98e67ed59e1d1-2f443d4549dmr2313626a91.29.1734575164699; Wed, 18 Dec 2024 18:26:04 -0800 (PST) Received: from terra ([2405:6586:be0:0:c8ff:1707:9b9:af89]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2f447798916sm229202a91.11.2024.12.18.18.26.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Dec 2024 18:26:04 -0800 (PST) From: Maxim Cournoyer To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#70581: PHP, glibc, and CVE-2024-2961 In-Reply-To: <87bjx9nw23.fsf_-_@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s?= =?utf-8?Q?=22's?= message of "Wed, 18 Dec 2024 11:07:48 +0100") References: <87bjx9nw23.fsf_-_@gnu.org> Date: Thu, 19 Dec 2024 11:25:53 +0900 Message-ID: <87r064mmry.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 70581 Cc: guix-security@gnu.org, Liliana Marie Prikler , Andreas Enge , 70581@debbugs.gnu.org, McSinyx , Janneke Nieuwenhuizen X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Ludovic, Ludovic Court=C3=A8s writes: [...] >> + (patches (map search-patch >> + (fold (cut delete <...>) >> + %glibc-patches >> + '("glibc-2.39-git-updates.patch")))))= ))) > > Or: (delete "glibc-2.39-git-updates.patch" (search-patches %glibc-patches= )). It doesn't seem to work the way you'd intuitively expect, because search-patches is syntax, and %glibc-patches is a list. So you at least need the map and search-patch procedure: --8<---------------cut here---------------start------------->8--- (delete "glibc-2.39-git-updates.patch" (map search-patch %glibc-patches)). --8<---------------cut here---------------end--------------->8--- And then the delete has no effect because 'search-path' returns absolute paths, so the patch to delete is now something like '/home/maxim/src/guix/gnu/packages/patches/glibc-2.39-git-updates.patch', for example. --=20 Thanks, Maxim From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 20 02:55:44 2024 Received: (at 70581) by debbugs.gnu.org; 20 Dec 2024 07:55:44 +0000 Received: from localhost ([127.0.0.1]:41505 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tOXrK-0001W0-Kn for submit@debbugs.gnu.org; Fri, 20 Dec 2024 02:55:44 -0500 Received: from mailrelay.tugraz.at ([129.27.2.202]:57562) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tOWzt-0007OI-8q for 70581@debbugs.gnu.org; Fri, 20 Dec 2024 02:00:30 -0500 Received: from tug-swl-230-198.tugraz.at (tug-swl-230-198.tugraz.at [129.27.230.198]) by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4YDywY4nmHz1JJBr; Fri, 20 Dec 2024 08:00:13 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 mailrelay.tugraz.at 4YDywY4nmHz1JJBr DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1734678014; bh=jnAN7WOFj17GmM0kU8Cvd71Ox3Z8JQydIMXYsrDKsKg=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=fMRXfLq+bhgtBWcsaSnidffSABunABdGbwRBEHDh6E9CnqGolwzWVUVZ6zAXhZ9Qz o6buAvfJ1ICBkro40kiNALRMWCCcH3V1pXwJyyCVlgau0jPrrWzLkiuS1odqaIip9P yCb0Bl6DdIeZtB67oRNEGfLOnoddFA+1IiJcrQhc= Message-ID: <41e8919d208dfdfc0a50b456286c0de2d0b1ad20.camel@tugraz.at> Subject: Re: bug#70581: PHP, glibc, and CVE-2024-2961 From: Liliana Prikler To: Maxim Cournoyer , Ludovic =?ISO-8859-1?Q?Court=E8s?= Date: Fri, 20 Dec 2024 08:00:13 +0100 In-Reply-To: <87r064mmry.fsf@gmail.com> References: <87bjx9nw23.fsf_-_@gnu.org> <87r064mmry.fsf@gmail.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.52.3-0ubuntu1 MIME-Version: 1.0 X-TUG-Backscatter-control: G/VXY7/6zeyuAY/PU2/0qw X-Spam-Scanner: SpamAssassin 3.003001 X-Spam-Score-relay: -1.9 X-Scanned-By: MIMEDefang 2.74 on 129.27.10.117 X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 70581 X-Mailman-Approved-At: Fri, 20 Dec 2024 02:55:41 -0500 Cc: Andreas Enge , Janneke Nieuwenhuizen , 70581@debbugs.gnu.org, McSinyx , guix-security@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Am Donnerstag, dem 19.12.2024 um 11:25 +0900 schrieb Maxim Cournoyer: > Hi Ludovic, >=20 > Ludovic Court=C3=A8s writes: >=20 > [...] >=20 > > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 (patches (map search-patch > > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 (fold (cut delete <...>) > > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 %glibc-patches > > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 '("glibc-2.39-git= - > > > updates.patch")))))))) > >=20 > > Or: (delete "glibc-2.39-git-updates.patch" (search-patches %glibc- > > patches)). >=20 > It doesn't seem to work the way you'd intuitively expect, because > search-patches is syntax, and %glibc-patches is a list.=C2=A0 So you at > least need the map and search-patch procedure: >=20 > --8<---------------cut here---------------start------------->8--- > (delete "glibc-2.39-git-updates.patch" (map search-patch %glibc- > patches)). > --8<---------------cut here---------------end--------------->8--- >=20 > And then the delete has no effect because 'search-path' returns > absolute paths, so the patch to delete is now something like > '/home/maxim/src/guix/gnu/packages/patches/glibc-2.39-git- > updates.patch', for example. What about=C2=A0 (map search-patch=C2=A0 (delete "glibc-2.39-git-updates.patch" %glibc-patches))=C2=A0 ? From unknown Mon Aug 18 11:22:00 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 17 Jan 2025 12:24:12 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator