From unknown Mon Aug 18 22:13:03 2025 X-Loop: help-debbugs@gnu.org Subject: bug#70581: PHP, glibc, and CVE-2024-2961 Resent-From: "McSinyx" Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 26 Apr 2024 06:46:07 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 70581 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 70581@debbugs.gnu.org X-Debbugs-Original-To: Received: via spool by submit@debbugs.gnu.org id=B.171411393128036 (code B ref -1); Fri, 26 Apr 2024 06:46:07 +0000 Received: (at submit) by debbugs.gnu.org; 26 Apr 2024 06:45:31 +0000 Received: from localhost ([127.0.0.1]:33648 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s0FKs-0007I5-MB for submit@debbugs.gnu.org; Fri, 26 Apr 2024 02:45:31 -0400 Received: from lists.gnu.org ([2001:470:142::17]:59610) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s0FKq-0007GL-76 for submit@debbugs.gnu.org; Fri, 26 Apr 2024 02:45:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s0FKP-0007Xb-E2 for bug-guix@gnu.org; Fri, 26 Apr 2024 02:45:01 -0400 Received: from tem.loang.net ([2a03:3b40:100::1:2]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1s0FKN-0004TU-Jx for bug-guix@gnu.org; Fri, 26 Apr 2024 02:45:01 -0400 DKIM-Signature: a=rsa-sha256; bh=D8uAUsG5rzYaKX3jUZL5JknVpaDuuKM9HneVWiP5Y5k=; c=relaxed/relaxed; d=loang.net; h=Subject:Subject:Sender:To:To:Cc:From:From:Date:Date:MIME-Version:MIME-Version:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Reply-To:In-Reply-To:Message-Id:Message-Id:References:Autocrypt:Openpgp; i=@loang.net; s=default; t=1714113892; v=1; x=1714545892; b=OwYJSxppqBcz3exTR3jxl6tG2Icl/SJOjaXXEg23WWBJ6UQvqP7Zfcjk/dhnOKUTSi0KUyaN S9pj4c5oRj+srP2I0qBQBXui1KYW01FO9b0r6BCgGDETwuKSBA43VLMHQXweZMCPeXxZr1qZTwh Mb8AxT7BwEdZ0NEg4/Iadg2lGdeVd1trlVekt/yVobR+SYnn616dUUzZ3pHNPWQ7HrW2fH+5vL4 8Fd20q6l8VNkMd4sX49MIIGwfL14JUc6Psmv5r5UeMNgOSRpZDCzmcHYtwg54StBqC3ISBKOhlw fJAyoQT6aqA06RoZ/I2b9NDxuT71eTMWy1hRIeHpOaYKQ== Received: by tem.loang.net (envelope-sender ) with ESMTPS id 6b865c07; Fri, 26 Apr 2024 06:44:52 +0000 Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Fri, 26 Apr 2024 15:44:50 +0900 From: "McSinyx" Message-Id: X-Mailer: aerc 0.15.2 Received-SPF: pass client-ip=2a03:3b40:100::1:2; envelope-from=cnx@loang.net; helo=tem.loang.net X-Spam_score_int: -13 X-Spam_score: -1.4 X-Spam_bar: - X-Spam_report: (-1.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_SOFTFAIL=0.732, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Hello Guix, Last week, an overflow bug in glibc's iconv(3) was discovered: https://www.openwall.com/lists/oss-security/2024/04/17/9 It may enable remove code execution through PHP. Due to the immutable nature of Guix, is it possible to hotpatch this using graft, or do we need to rebuild to world? https://rockylinux.org/news/glibc-vulnerability-april-2024/ Kind regards, McSinyx From unknown Mon Aug 18 22:13:03 2025 X-Loop: help-debbugs@gnu.org Subject: bug#70581: PHP, glibc, and CVE-2024-2961 Resent-From: Liliana Marie Prikler Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 26 Apr 2024 07:22:11 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70581 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: McSinyx , 70581@debbugs.gnu.org Cc: guix-security@gnu.org Received: via spool by 70581-submit@debbugs.gnu.org id=B70581.171411608921737 (code B ref 70581); Fri, 26 Apr 2024 07:22:11 +0000 Received: (at 70581) by debbugs.gnu.org; 26 Apr 2024 07:21:29 +0000 Received: from localhost ([127.0.0.1]:33699 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s0Ftb-0005dm-GV for submit@debbugs.gnu.org; Fri, 26 Apr 2024 03:21:27 -0400 Received: from mailrelay.tugraz.at ([129.27.2.202]:47143) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s0FtU-0005bt-ES for 70581@debbugs.gnu.org; Fri, 26 Apr 2024 03:21:19 -0400 Received: from lprikler-laptop.ist.intra (gw.ist.tugraz.at [129.27.202.101]) by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4VQkfG5LhFz3wVN; Fri, 26 Apr 2024 09:20:54 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1714116054; bh=h84lli2d5A0xciX7CQDu3WuyE+LLyQPGj7QnvLpfVMk=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=ji4TB7q7HPizZBYX+W92g4rLV1gzYgbRBgoLn0QLI5qnueNxqEC1eYuUVRvJ/CjSV nQ69ihXoAFa3CiBZVy9bIhiQRpoo32Ga38sBenVchtU7MzG8kdA1WqZs1BF15ovi3B aE03K0JBPY7OJV1fPM0047m3pZYJVKd96TXLQz7g= Message-ID: From: Liliana Marie Prikler Date: Fri, 26 Apr 2024 09:20:53 +0200 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.48.4 MIME-Version: 1.0 X-TUG-Backscatter-control: waObeELIUl4ypBWmcn/8wQ X-Spam-Scanner: SpamAssassin 3.003001 X-Spam-Score-relay: -1.9 X-Scanned-By: MIMEDefang 2.74 on 129.27.10.117 X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi McSinyx, security-relevant bugs ought to go to , see [1]. Since a patch exists for glibc all the way back to 2.30, I suppose a graft can be used and should be performed timely.=20 Cheers [1] https://guix.gnu.org/en/security/ From debbugs-submit-bounces@debbugs.gnu.org Sat May 25 05:12:22 2024 Received: (at control) by debbugs.gnu.org; 25 May 2024 09:12:22 +0000 Received: from localhost ([127.0.0.1]:42260 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sAnRt-00025D-U7 for submit@debbugs.gnu.org; Sat, 25 May 2024 05:12:22 -0400 Received: from eggs.gnu.org ([209.51.188.92]:47790) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sAnRt-000255-1E for control@debbugs.gnu.org; Sat, 25 May 2024 05:12:21 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sAnRf-00083t-AA for control@debbugs.gnu.org; Sat, 25 May 2024 05:12:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-version:Subject:From:To:Date:in-reply-to: references; bh=5V4TnFasRg5OO2/eypzBOU2ciDtdxXriAg9/Xx8+iH8=; b=nddWsBzm7QG4mw fEQB27sY1IY3x3/gj9JXWO7EQ9EtwRAESU5jRW90uVbXF6gXq8wx9Y99JoeUF3pZ2Y6PWobWxk5uf OCgcafGs2RhJ+qMekVjqyJbzwFhWUxEtfFI24dMwbRrhFtMiA5z+xknF+cSQjtjzzcZwrOhHFmHuL +sZhlIiZgEmfrxExuGHUCueAtCZLxnb7BTx0Tt9uou1x/QQyBhwuIklKhgMEWIXjI8vlFk21raha8 /z/1eks3of9GmMfsXQJqxQroCwhanmO57bForZBnaJXmhzfUQf3AQ3Li4jctbTbZZktJjWMdP5gg7 cXdnP56wfMipNnqEokSw==; Date: Sat, 25 May 2024 11:12:04 +0200 Message-Id: <877cfi45nf.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #70581 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) tags 70581 + security quit From unknown Mon Aug 18 22:13:03 2025 X-Loop: help-debbugs@gnu.org Subject: bug#70581: [PATCH] gnu: glibc: Graft with fix for CVE-2024-2961. References: In-Reply-To: Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: cnx@loang.net, liliana.prikler@ist.tugraz.at, ludo@gnu.org, andreas@enge.fr, janneke@gnu.org, bug-guix@gnu.org Resent-Date: Sat, 14 Dec 2024 14:23:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70581 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 70581@debbugs.gnu.org Cc: Maxim Cournoyer , guix-security@gnu.org, McSinyx , Liliana Marie Prikler , Ludovic =?UTF-8?Q?Court=C3=A8s?= , Andreas Enge , Janneke Nieuwenhuizen X-Debbugs-Original-Xcc: McSinyx , Liliana Marie Prikler , Ludovic =?UTF-8?Q?Court=C3=A8s?= , Andreas Enge , Janneke Nieuwenhuizen Received: via spool by 70581-submit@debbugs.gnu.org id=B70581.173418613814871 (code B ref 70581); Sat, 14 Dec 2024 14:23:01 +0000 Received: (at 70581) by debbugs.gnu.org; 14 Dec 2024 14:22:18 +0000 Received: from localhost ([127.0.0.1]:46009 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tMT28-0003ri-Kk for submit@debbugs.gnu.org; Sat, 14 Dec 2024 09:22:17 -0500 Received: from mail-pf1-f177.google.com ([209.85.210.177]:55390) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tMT24-0003rY-ET for 70581@debbugs.gnu.org; Sat, 14 Dec 2024 09:22:14 -0500 Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-728eedfca37so2861724b3a.2 for <70581@debbugs.gnu.org>; Sat, 14 Dec 2024 06:22:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1734186070; x=1734790870; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=a6ONGS/XN5v5g3tzv3YNrp0n1iqNL6hytVVZY2DVRDg=; b=HZAazOK2T6blBbkX7YVWIWvRRH0tk97MDJCRBOC2H8Mi6UID40olFK7+I55paX3kNd mGxAoARZ3Hp4dVVGOnp7dRyipWUu2k3N+YdenTkIslrDggTpQXlOv5rCxluT7G0M1z3D BHSIS0JZrDludtMK7cF5ST6c058ODtKEPyhhthqOeN93Hti8hmq+Swxxeh2upxMw1yg3 nhHro/yYJhYh6Kxyex4g1x1PbEph1ZOqFq/2/HL4cJEN9BIa3NsY9BQwd/uBx2fjrgRb 0PMbgaxf42s/4ZRyXfhYo9bYkJm7eoi/S0i9xEiZHgQZTzhmyeYc1qUXW0uTbwqius+r sNQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734186070; x=1734790870; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=a6ONGS/XN5v5g3tzv3YNrp0n1iqNL6hytVVZY2DVRDg=; b=YgQcJhEBYKX2qzLrkym3mXjDCAcCbPc4+SLYIwaMeNzRneruL5p3j+EgkID7/ZkqYA g8ZW7S9mrijJViv6wfnrjbll/q3FlXc5RT0TfcCo3kgtLnVbVyl/7cxuuy5ktazNYVfR IBqre76ZdYbT+8r6NfQP2/jcB+T/rR/zkQaYeb1DSx1X9amnGNWrtTIshGTWbztd1Tzp CrSlJIDmPS0tXmDkiMnsLCdqB+aNuxJuX7v1cUIlK++Aw2bfXFeFElLaujz1tujVgpcU syDHA7hYsDIa6PaiXzrazYD2S5lO12ZCDmb4Sp5yG/k/nLGFbOuJr/B+Gg/M+B+f3vSX r15w== X-Gm-Message-State: AOJu0YyMlUt3cmER3oAqvUIaXmagpGmb5CVxVgeVkptHN3t4Rmep7VoM 8TJrueim1muyZdR7dzNukpc8vKCqnjr04+3mKuT2JOBGEiomcxnbuI+L1A== X-Gm-Gg: ASbGncv4YuZ7Yxc2yaNapio1ob8sXtyztYJiOoSEP4yUqUd4g+ONKmyn7TCz5D/Azrr isyD6qormCPkiRSrPluResHCnnZeWbmJHR0twQZhgAKk0X0JRTAhQBn8Yij2O3WBGpY8LtlLpFH VOtfUT8QnsPzkimxCKQ9eUGALOuMXK2Dn8zcq/x/5wmRDxb4/aLM1lvRrearUfipff6kEWnU7Ru JRGieua40cUqZnT3Tz6eRllCrCQrVEKvHP7mlgFW/OmfjxG8g2duAHH4g2+Pt/sgchcgtw2tlI= X-Google-Smtp-Source: AGHT+IHdBW7TGV6OWMRhkckdJh3ixGuyyLBLAZm4x/IQPrBEdAY7SlGQ58oWl6YBr6aUtW5H9beryw== X-Received: by 2002:a05:6a20:3947:b0:1e0:c8d9:3382 with SMTP id adf61e73a8af0-1e1dfe6a67bmr9192679637.45.1734186069979; Sat, 14 Dec 2024 06:21:09 -0800 (PST) Received: from localhost.localdomain ([2405:6586:be0:0:c8ff:1707:9b9:af89]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72918ad5c07sm1514516b3a.60.2024.12.14.06.21.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 14 Dec 2024 06:21:09 -0800 (PST) From: Maxim Cournoyer Date: Sat, 14 Dec 2024 23:20:53 +0900 Message-ID: X-Mailer: git-send-email 2.46.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/packages/base.scm (%glibc-patches): New variable. (glibc) [source]: Use it. [properties]: Mark CVE-2024-2961 as hidden (resolved). [replacement]: Add field to graft with... (glibc/fixed): ... this new package. Fixes: Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9 --- gnu/packages/base.scm | 55 ++++++++++++++++++++++++++++++++----------- 1 file changed, 41 insertions(+), 14 deletions(-) diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index b3f54798c4..a060ed556d 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -878,6 +878,21 @@ (define* (make-ld-wrapper name #:key (home-page "https://www.gnu.org/software/guix//") (license gpl3+))) +(define %glibc-patches + (list "glibc-2.39-git-updates.patch" + "glibc-ldd-powerpc.patch" + "glibc-2.38-ldd-x86_64.patch" + "glibc-dl-cache.patch" + "glibc-2.37-versioned-locpath.patch" + ;; "glibc-allow-kernel-2.6.32.patch" + "glibc-reinstate-prlimit64-fallback.patch" + "glibc-supported-locales.patch" + "glibc-2.37-hurd-clock_t_centiseconds.patch" + "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch" + "glibc-hurd-mach-print.patch" + "glibc-hurd-gettyent.patch" + "glibc-hurd-getauxval.patch")) + (define-public glibc ;; This is the GNU C Library, used on GNU/Linux and GNU/Hurd. Prior to ;; version 2.28, GNU/Hurd used a different glibc branch. @@ -890,21 +905,11 @@ (define-public glibc (sha256 (base32 "09nrwb0ksbah9k35jchd28xxp2hidilqdgz7b8v5f30pz1yd8yzp")) - (patches (search-patches "glibc-2.39-git-updates.patch" - "glibc-ldd-powerpc.patch" - "glibc-2.38-ldd-x86_64.patch" - "glibc-dl-cache.patch" - "glibc-2.37-versioned-locpath.patch" - ;; "glibc-allow-kernel-2.6.32.patch" - "glibc-reinstate-prlimit64-fallback.patch" - "glibc-supported-locales.patch" - "glibc-2.37-hurd-clock_t_centiseconds.patch" - "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch" - "glibc-hurd-mach-print.patch" - "glibc-hurd-gettyent.patch" - "glibc-hurd-getauxval.patch")))) - (properties `((lint-hidden-cve . ("CVE-2024-33601" "CVE-2024-33602" + (patches (map search-patch %glibc-patches)))) + (properties `((lint-hidden-cve . ("CVE-2024-2961" + "CVE-2024-33601" "CVE-2024-33602" "CVE-2024-33600" "CVE-2024-33599")))) + (replacement glibc/fixed) (build-system gnu-build-system) ;; Glibc's refers to , for instance, so glibc @@ -1182,6 +1187,28 @@ (define-public glibc (license lgpl2.0+) (home-page "https://www.gnu.org/software/libc/"))) +(define glibc/fixed + (package + (inherit glibc) + (name "glibc") + (version (package-version glibc)) + (source (origin + (method git-fetch) + (uri (git-reference + (url "git://sourceware.org/git/glibc.git") + ;; This is the latest commit from the + ;; 'release/2.39/master' branch, where CVEs and other + ;; important bug fixes are cherry picked. + (commit "2c882bf9c15d206aaf04766d1b8e3ae5b1002cc2"))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "111yf24g0qcfcxywfzrilmjxysahlbkzxfimcz9rq8p00qzvvf51")) + (patches (map search-patch + (fold (cut delete <...>) + %glibc-patches + '("glibc-2.39-git-updates.patch")))))))) + ;; Define a variation of glibc which uses the default /etc/ld.so.cache, useful ;; in FHS containers. (define-public glibc-for-fhs base-commit: 93e1586116f39a30ba1fcb67bd839a43533dfaf4 -- 2.46.0 From unknown Mon Aug 18 22:13:03 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: "McSinyx" Subject: bug#70581: closed (Re: bug#70581: PHP, glibc, and CVE-2024-2961) Message-ID: References: <87a5ctphuu.fsf_-_@gmail.com> X-Gnu-PR-Message: they-closed 70581 X-Gnu-PR-Package: guix X-Gnu-PR-Keywords: security Reply-To: 70581@debbugs.gnu.org Date: Wed, 18 Dec 2024 07:33:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1734507182-9786-1" This is a multi-part message in MIME format... ------------=_1734507182-9786-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #70581: PHP, glibc, and CVE-2024-2961 which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 70581@debbugs.gnu.org. --=20 70581: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D70581 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1734507182-9786-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 70581-done) by debbugs.gnu.org; 18 Dec 2024 07:32:54 +0000 Received: from localhost ([127.0.0.1]:33207 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tNoY9-0002XO-Lc for submit@debbugs.gnu.org; Wed, 18 Dec 2024 02:32:53 -0500 Received: from mail-qk1-f174.google.com ([209.85.222.174]:42270) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tNoY7-0002XF-L6 for 70581-done@debbugs.gnu.org; Wed, 18 Dec 2024 02:32:52 -0500 Received: by mail-qk1-f174.google.com with SMTP id af79cd13be357-7b6ef047e9bso40812185a.1 for <70581-done@debbugs.gnu.org>; Tue, 17 Dec 2024 23:32:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1734507111; x=1735111911; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=xq/Fc7Z+/1+WafWZh3YkBk027fSVKZOjH4uhNEe0atY=; b=SIk3IDhjyhe2vFu8A1v3vihYTXb72K53ut7WOm63zxMDK2pCST5IudTNiDyp7Fn6Is 5nWGNObGnx8K0i8P33KwwT2De+JRwucjMPo/BJeE12yoNCGEdBxeCMSaX1nVdMGqnOCo qJNcB7cioqYg0wgdy6RFA5ipum0EYQjpLJBtanXcgPKykGImRXIJvOEqPMRG+CRkXMn2 mm4h2Q/iXt7sXBOQGsCswaeezN35zrcCna9kkDI7UrgsS1ImkAmryxont1HPF8T7Bewh MiWUJtVH+pyMKqcWLT0dWM2eQ+rGfwONltRn63fbmLLbzgHJc7rV7zKGMDkGjQxeDOL/ CGXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734507111; x=1735111911; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=xq/Fc7Z+/1+WafWZh3YkBk027fSVKZOjH4uhNEe0atY=; b=snxZWK2IwdloJyoHlkvlmUfG/pC8AXIMAD+2HA9hzpXmhwGtechyOQLC/ofFi3tq0h LpPeT8V8G+AfzmMVJ/XXyJdd+O6VFPThp9imjfzfoBF8xXpEfxUrW0/S3c5XgKXdTeEa 3RgliquDA6KcnFY6JgZ8IuH4ymzeRz52ZPk3MLkpAKZIZDkbl2XCeOTOV6OAYroZluFQ 4etS4kJjRjuZFtoekMDdEjsC44EM2tTh45WV8l+T/NmmwBS4rix+8T2g/3Y+gmDOWLN/ y/nlD02D7tEgdeB2HpeWFg1xnsb0PPz9AH1ru5INt+rlGP0IgJqEfzOd+Pf8CYip1oyG cJ7g== X-Gm-Message-State: AOJu0Ywrs8QlTgJ7wvqcYTtrDDvz9a+ISoFycPi6mSEK5sAtUbks+Z93 K7Nzi/9Yr+WUyBBhJVlXINK0mLYjwePqO4GIpkQ4UmRWxF8S/ptNwjKDTmUcpLA= X-Gm-Gg: ASbGncvzKkl63ClEHp7UN40FOEA4QyyJC7El4+DUBuL76XBYUGFVej6leH8w8qH42Rf feOWSM9C+rbcAaMfwDzRx/s1HyxOIfgYggZN7iWUeFOoaeV6cs19C6Fgp0fef8hrYS+3JwCBy5/ btljBce23zcB4LDeKFADFTdF5p9/EzchtnwyFdeNavy7aAxntgcxhy4DXRns+alKlSwP3Os+Qkw jTrn/nThwbEZ7CgyUBhgm39EIQEJWlal7AUgaCI8bqkwHFslDr8i8snsl5Y8SOLDjnNRUZQ4Fq0 Fw== X-Google-Smtp-Source: AGHT+IFC9aqn+ROmbqk5ZOs7IrUXArIgUtF156hVSMnCCy2FEC2UOu/6rUiC/lCurYAX/mMgPN8/SA== X-Received: by 2002:a05:620a:28c9:b0:7b6:eba3:2dfb with SMTP id af79cd13be357-7b8635fe7a8mr302248485a.16.1734507111073; Tue, 17 Dec 2024 23:31:51 -0800 (PST) Received: from terra (vps-6234970c.vps.ovh.ca. [51.222.13.224]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7b7047f3f5dsm399499085a.66.2024.12.17.23.31.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Dec 2024 23:31:49 -0800 (PST) From: Maxim Cournoyer To: 70581-done@debbugs.gnu.org Subject: Re: bug#70581: PHP, glibc, and CVE-2024-2961 In-Reply-To: (Maxim Cournoyer's message of "Sat, 14 Dec 2024 23:20:53 +0900") References: Date: Wed, 18 Dec 2024 16:31:37 +0900 Message-ID: <87a5ctphuu.fsf_-_@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 70581-done Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= , guix-security@gnu.org, Liliana Marie Prikler , Andreas Enge , McSinyx , Janneke Nieuwenhuizen X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Maxim Cournoyer writes: > * gnu/packages/base.scm (%glibc-patches): New variable. > (glibc) [source]: Use it. > [properties]: Mark CVE-2024-2961 as hidden (resolved). > [replacement]: Add field to graft with... > (glibc/fixed): ... this new package. > > Fixes: > Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9 Applied. -- Thanks, Maxim ------------=_1734507182-9786-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 26 Apr 2024 06:45:31 +0000 Received: from localhost ([127.0.0.1]:33648 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s0FKs-0007I5-MB for submit@debbugs.gnu.org; Fri, 26 Apr 2024 02:45:31 -0400 Received: from lists.gnu.org ([2001:470:142::17]:59610) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s0FKq-0007GL-76 for submit@debbugs.gnu.org; Fri, 26 Apr 2024 02:45:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s0FKP-0007Xb-E2 for bug-guix@gnu.org; Fri, 26 Apr 2024 02:45:01 -0400 Received: from tem.loang.net ([2a03:3b40:100::1:2]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1s0FKN-0004TU-Jx for bug-guix@gnu.org; Fri, 26 Apr 2024 02:45:01 -0400 DKIM-Signature: a=rsa-sha256; bh=D8uAUsG5rzYaKX3jUZL5JknVpaDuuKM9HneVWiP5Y5k=; c=relaxed/relaxed; d=loang.net; h=Subject:Subject:Sender:To:To:Cc:From:From:Date:Date:MIME-Version:MIME-Version:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Reply-To:In-Reply-To:Message-Id:Message-Id:References:Autocrypt:Openpgp; i=@loang.net; s=default; t=1714113892; v=1; x=1714545892; b=OwYJSxppqBcz3exTR3jxl6tG2Icl/SJOjaXXEg23WWBJ6UQvqP7Zfcjk/dhnOKUTSi0KUyaN S9pj4c5oRj+srP2I0qBQBXui1KYW01FO9b0r6BCgGDETwuKSBA43VLMHQXweZMCPeXxZr1qZTwh Mb8AxT7BwEdZ0NEg4/Iadg2lGdeVd1trlVekt/yVobR+SYnn616dUUzZ3pHNPWQ7HrW2fH+5vL4 8Fd20q6l8VNkMd4sX49MIIGwfL14JUc6Psmv5r5UeMNgOSRpZDCzmcHYtwg54StBqC3ISBKOhlw fJAyoQT6aqA06RoZ/I2b9NDxuT71eTMWy1hRIeHpOaYKQ== Received: by tem.loang.net (envelope-sender ) with ESMTPS id 6b865c07; Fri, 26 Apr 2024 06:44:52 +0000 Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Fri, 26 Apr 2024 15:44:50 +0900 Subject: PHP, glibc, and CVE-2024-2961 To: From: "McSinyx" Message-Id: X-Mailer: aerc 0.15.2 Received-SPF: pass client-ip=2a03:3b40:100::1:2; envelope-from=cnx@loang.net; helo=tem.loang.net X-Spam_score_int: -13 X-Spam_score: -1.4 X-Spam_bar: - X-Spam_report: (-1.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_SOFTFAIL=0.732, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Hello Guix, Last week, an overflow bug in glibc's iconv(3) was discovered: https://www.openwall.com/lists/oss-security/2024/04/17/9 It may enable remove code execution through PHP. Due to the immutable nature of Guix, is it possible to hotpatch this using graft, or do we need to rebuild to world? https://rockylinux.org/news/glibc-vulnerability-april-2024/ Kind regards, McSinyx ------------=_1734507182-9786-1-- From unknown Mon Aug 18 22:13:03 2025 X-Loop: help-debbugs@gnu.org Subject: bug#70581: PHP, glibc, and CVE-2024-2961 Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 18 Dec 2024 10:09:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70581 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Maxim Cournoyer Cc: guix-security@gnu.org, Liliana Marie Prikler , Andreas Enge , 70581@debbugs.gnu.org, McSinyx , Janneke Nieuwenhuizen Received: via spool by 70581-submit@debbugs.gnu.org id=B70581.17345165277225 (code B ref 70581); Wed, 18 Dec 2024 10:09:02 +0000 Received: (at 70581) by debbugs.gnu.org; 18 Dec 2024 10:08:47 +0000 Received: from localhost ([127.0.0.1]:33480 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tNqz1-0001sS-5U for submit@debbugs.gnu.org; Wed, 18 Dec 2024 05:08:47 -0500 Received: from eggs.gnu.org ([209.51.188.92]:41926) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tNqyv-0001sA-Bt for 70581@debbugs.gnu.org; Wed, 18 Dec 2024 05:08:46 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tNqyj-0003EK-Qz; Wed, 18 Dec 2024 05:08:29 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=XTgotAnTnaLN2lqDtMh28HSWsxkkLRygfueBLJgdztw=; b=EeW2FiBr2rK2Ywob4OiZ ODVMPyT3n2/rfipIAG8EuXaAhoOqJvV5J8DMsNHIWCAgPLhdasmOBxqDlxGcFJ6KPY2tHkdGrvUB9 a7XHiN4adOLxcRgAEh6lzvtbTL1JVTJmOCcSbSXnwhgTyUDk+blJN5AJy462pTuI/zIyJRdpxgF6O x2B9wfSXmsVTrI5uI8DpuF1wl43JrWfzZKS/tmfPOY/ouM3EVIGptWGJyR/6GlNUjzpa4KDvajfsw oXviOWqnqs/Fhoxe2qHFwBFmfsrpaMvnP93Jl4e9Z4q463aUCTd934gEJdD9oByFLHsw5YBQq45LD 1CMvoPSm9F/K7A==; From: Ludovic =?UTF-8?Q?Court=C3=A8s?= In-Reply-To: (Maxim Cournoyer's message of "Sat, 14 Dec 2024 23:20:53 +0900") References: Date: Wed, 18 Dec 2024 11:07:48 +0100 Message-ID: <87bjx9nw23.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Maxim Cournoyer skribis: > * gnu/packages/base.scm (%glibc-patches): New variable. > (glibc) [source]: Use it. > [properties]: Mark CVE-2024-2961 as hidden (resolved). > [replacement]: Add field to graft with... > (glibc/fixed): ... this new package. > > Fixes: > Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9 I=E2=80=99m late to the party, apologies! (I was Cc=E2=80=99d, despite bein= g on =E2=80=98core-packages=E2=80=99, weird.) > + (patches (map search-patch > + (fold (cut delete <...>) > + %glibc-patches > + '("glibc-2.39-git-updates.patch"))))))= )) Or: (delete "glibc-2.39-git-updates.patch" (search-patches %glibc-patches)). Thank you! Ludo=E2=80=99. From unknown Mon Aug 18 22:13:03 2025 X-Loop: help-debbugs@gnu.org Subject: bug#70581: PHP, glibc, and CVE-2024-2961 Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 19 Dec 2024 02:28:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70581 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: guix-security@gnu.org, Liliana Marie Prikler , Andreas Enge , 70581@debbugs.gnu.org, McSinyx , Janneke Nieuwenhuizen Received: via spool by 70581-submit@debbugs.gnu.org id=B70581.1734575233515 (code B ref 70581); Thu, 19 Dec 2024 02:28:01 +0000 Received: (at 70581) by debbugs.gnu.org; 19 Dec 2024 02:27:13 +0000 Received: from localhost ([127.0.0.1]:36784 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tO6Ft-00008F-3o for submit@debbugs.gnu.org; Wed, 18 Dec 2024 21:27:13 -0500 Received: from mail-pg1-f176.google.com ([209.85.215.176]:50526) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tO6Fq-00007y-J6 for 70581@debbugs.gnu.org; Wed, 18 Dec 2024 21:27:11 -0500 Received: by mail-pg1-f176.google.com with SMTP id 41be03b00d2f7-8019f048bc7so138139a12.1 for <70581@debbugs.gnu.org>; Wed, 18 Dec 2024 18:27:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1734575165; x=1735179965; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=AgZBtrbO4j6+U5dqgZomN2NJ9x0IkP5PQAem8vO/rIE=; b=gN04BbpPtUbCIekljLlO0ZccQ5O39oHK5ezMMbWFULzn7cOPggUhX4IoD2vHlcS2s5 7wZj4Em0OsPmpF+aRErJsjzcl3yTyPjbx0vjHS2llnlPw7JN1Og+yzMCuQKV0Wn+eW7X DuZ438temo6gMVUqbOOPKvEgxdDOm9F+S1vVlhx4rh/CFkP43d6LNuhJ3tmAiYsmFsJI wpejw+SO8I0h6JKJiZ4LioIckM6m+tOKVg+duG5Dqa6yrJ1wnpmtpJUM3xzEwCC9WqME nCuMNTQoJZLj3JJBwS+MShCA0RAl3tjtstGBm0uf8Dqy1m4JGukqgVQ5eTkQ2KriovKP PZsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734575165; x=1735179965; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=AgZBtrbO4j6+U5dqgZomN2NJ9x0IkP5PQAem8vO/rIE=; b=M92gbuadkCDnBrcpDpjjnrxNJgo+hsKxsGxqwXoS1n7j7j2xFRbWxJbo8re72wqswG 3jgyoxnDxgTs+wt7uLPSug9rVMGPgjsu6Ud+SjErmgkmblnkaHwAZfdekYnFOYDO5utn kwhZWKh9VuByTKMMscU4QsR9cLmfFPote6kL5VETsGTOySwYjQcvdGMmuf0wu8thfQps BukUBZGlY3HyW7hQ8ohVG4sTCbqJWJjVgbF1xBWc11BHFy8Sdbmj3+Vl+dMq12FqCXac njMrKnM17TvatJUuonS/cwSj/0eBDdbQxxCIefxuWMUPz3sGVXpgHHKvZVGZGyBDnBs0 gEkg== X-Gm-Message-State: AOJu0YxfTJzwHu9rG7KVXHjfFx3eEnZxOG6XhnIvFIB7VQPrBILgF7Ej YvDOrkvR2/4/TK8dOwjksBP/09ID7mcOnrxx6+vebLQZVWwL14MB X-Gm-Gg: ASbGncsedP7aEX39kdA7FaB4SiqN90YjZoBu4D69327qkqMhtQE9g5bzo8M2lxSml1+ JK8B4YQt1+PunnQ3zhzhtSvjJmBOw0WcPtd2coQYyf8VTRa7GgjV5MJ8K8iUuSzRjCS4noc8QcL LDUL4trhDDTQJh+wtcU7BeqxV8Gjr363pkAbU7w2zm1qQd900OgjkSYPuIlt8f285pTRQDBwWJE qr6NSC8qFe1+EPz9Jd+HZzlf1jFpCShJrzZko3RQYSGMCD5RfCtsA== X-Google-Smtp-Source: AGHT+IGug1f0NvwZ8H5bGfe9zX5bg/o6Wxohz4gSrVtNs1hHxoY22BMdR/F9xMlqOmesBmocuu/giQ== X-Received: by 2002:a17:90b:4ecf:b0:2ee:c5ea:bd91 with SMTP id 98e67ed59e1d1-2f443d4549dmr2313626a91.29.1734575164699; Wed, 18 Dec 2024 18:26:04 -0800 (PST) Received: from terra ([2405:6586:be0:0:c8ff:1707:9b9:af89]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2f447798916sm229202a91.11.2024.12.18.18.26.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Dec 2024 18:26:04 -0800 (PST) From: Maxim Cournoyer In-Reply-To: <87bjx9nw23.fsf_-_@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Wed, 18 Dec 2024 11:07:48 +0100") References: <87bjx9nw23.fsf_-_@gnu.org> Date: Thu, 19 Dec 2024 11:25:53 +0900 Message-ID: <87r064mmry.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Ludovic, Ludovic Court=C3=A8s writes: [...] >> + (patches (map search-patch >> + (fold (cut delete <...>) >> + %glibc-patches >> + '("glibc-2.39-git-updates.patch")))))= ))) > > Or: (delete "glibc-2.39-git-updates.patch" (search-patches %glibc-patches= )). It doesn't seem to work the way you'd intuitively expect, because search-patches is syntax, and %glibc-patches is a list. So you at least need the map and search-patch procedure: --8<---------------cut here---------------start------------->8--- (delete "glibc-2.39-git-updates.patch" (map search-patch %glibc-patches)). --8<---------------cut here---------------end--------------->8--- And then the delete has no effect because 'search-path' returns absolute paths, so the patch to delete is now something like '/home/maxim/src/guix/gnu/packages/patches/glibc-2.39-git-updates.patch', for example. --=20 Thanks, Maxim From unknown Mon Aug 18 22:13:03 2025 X-Loop: help-debbugs@gnu.org Subject: bug#70581: PHP, glibc, and CVE-2024-2961 Resent-From: Liliana Prikler Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 20 Dec 2024 07:56:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70581 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Maxim Cournoyer , Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: Andreas Enge , Janneke Nieuwenhuizen , 70581@debbugs.gnu.org, McSinyx , guix-security@gnu.org Received: via spool by 70581-submit@debbugs.gnu.org id=B70581.17346813445834 (code B ref 70581); Fri, 20 Dec 2024 07:56:01 +0000 Received: (at 70581) by debbugs.gnu.org; 20 Dec 2024 07:55:44 +0000 Received: from localhost ([127.0.0.1]:41505 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tOXrK-0001W0-Kn for submit@debbugs.gnu.org; Fri, 20 Dec 2024 02:55:44 -0500 Received: from mailrelay.tugraz.at ([129.27.2.202]:57562) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tOWzt-0007OI-8q for 70581@debbugs.gnu.org; Fri, 20 Dec 2024 02:00:30 -0500 Received: from tug-swl-230-198.tugraz.at (tug-swl-230-198.tugraz.at [129.27.230.198]) by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4YDywY4nmHz1JJBr; Fri, 20 Dec 2024 08:00:13 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 mailrelay.tugraz.at 4YDywY4nmHz1JJBr DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1734678014; bh=jnAN7WOFj17GmM0kU8Cvd71Ox3Z8JQydIMXYsrDKsKg=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=fMRXfLq+bhgtBWcsaSnidffSABunABdGbwRBEHDh6E9CnqGolwzWVUVZ6zAXhZ9Qz o6buAvfJ1ICBkro40kiNALRMWCCcH3V1pXwJyyCVlgau0jPrrWzLkiuS1odqaIip9P yCb0Bl6DdIeZtB67oRNEGfLOnoddFA+1IiJcrQhc= Message-ID: <41e8919d208dfdfc0a50b456286c0de2d0b1ad20.camel@tugraz.at> From: Liliana Prikler Date: Fri, 20 Dec 2024 08:00:13 +0100 In-Reply-To: <87r064mmry.fsf@gmail.com> References: <87bjx9nw23.fsf_-_@gnu.org> <87r064mmry.fsf@gmail.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.52.3-0ubuntu1 MIME-Version: 1.0 X-TUG-Backscatter-control: G/VXY7/6zeyuAY/PU2/0qw X-Spam-Scanner: SpamAssassin 3.003001 X-Spam-Score-relay: -1.9 X-Scanned-By: MIMEDefang 2.74 on 129.27.10.117 X-Spam-Score: -2.3 (--) X-Mailman-Approved-At: Fri, 20 Dec 2024 02:55:41 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Am Donnerstag, dem 19.12.2024 um 11:25 +0900 schrieb Maxim Cournoyer: > Hi Ludovic, >=20 > Ludovic Court=C3=A8s writes: >=20 > [...] >=20 > > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 (patches (map search-patch > > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 (fold (cut delete <...>) > > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 %glibc-patches > > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 '("glibc-2.39-git= - > > > updates.patch")))))))) > >=20 > > Or: (delete "glibc-2.39-git-updates.patch" (search-patches %glibc- > > patches)). >=20 > It doesn't seem to work the way you'd intuitively expect, because > search-patches is syntax, and %glibc-patches is a list.=C2=A0 So you at > least need the map and search-patch procedure: >=20 > --8<---------------cut here---------------start------------->8--- > (delete "glibc-2.39-git-updates.patch" (map search-patch %glibc- > patches)). > --8<---------------cut here---------------end--------------->8--- >=20 > And then the delete has no effect because 'search-path' returns > absolute paths, so the patch to delete is now something like > '/home/maxim/src/guix/gnu/packages/patches/glibc-2.39-git- > updates.patch', for example. What about=C2=A0 (map search-patch=C2=A0 (delete "glibc-2.39-git-updates.patch" %glibc-patches))=C2=A0 ?