GNU bug report logs - #70581
PHP, glibc, and CVE-2024-2961

Previous Next

Package: guix;

Reported by: "McSinyx" <cnx <at> loang.net>

Date: Fri, 26 Apr 2024 06:46:07 UTC

Severity: normal

Tags: security

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: "McSinyx" <cnx <at> loang.net>
Subject: bug#70581: closed (Re: bug#70581: PHP, glibc, and CVE-2024-2961)
Date: Wed, 18 Dec 2024 07:33:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#70581: PHP, glibc, and CVE-2024-2961

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 70581 <at> debbugs.gnu.org.

-- 
70581: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=70581
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: 70581-done <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>, guix-security <at> gnu.org,
 Liliana Marie Prikler <liliana.prikler <at> ist.tugraz.at>,
 Andreas Enge <andreas <at> enge.fr>, McSinyx <cnx <at> loang.net>,
 Janneke Nieuwenhuizen <janneke <at> gnu.org>
Subject: Re: bug#70581: PHP, glibc, and CVE-2024-2961
Date: Wed, 18 Dec 2024 16:31:37 +0900

Hi

Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:

> * gnu/packages/base.scm (%glibc-patches): New variable.
> (glibc) [source]: Use it.
> [properties]: Mark CVE-2024-2961 as hidden (resolved).
> [replacement]: Add field to graft with...
> (glibc/fixed): ... this new package.
>
> Fixes: <https://issues.guix.gnu.org/70581>
> Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9

Applied.

-- 
Thanks,
Maxim


[Message part 3 (message/rfc822, inline)]
From: "McSinyx" <cnx <at> loang.net>
To: <bug-guix <at> gnu.org>
Subject: PHP, glibc, and CVE-2024-2961
Date: Fri, 26 Apr 2024 15:44:50 +0900

Hello Guix,

Last week, an overflow bug in glibc's iconv(3) was discovered:
https://www.openwall.com/lists/oss-security/2024/04/17/9

It may enable remove code execution through PHP.  Due to
the immutable nature of Guix, is it possible to hotpatch
this using graft, or do we need to rebuild to world?
https://rockylinux.org/news/glibc-vulnerability-april-2024/

Kind regards,
McSinyx
This bug report was last modified 212 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.