[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#27429: Stack clash (CVE-2017-1000366 etc)

From: Mark H Weaver
Subject: bug#27429: Stack clash (CVE-2017-1000366 etc)
Date: Fri, 23 Jun 2017 14:36:41 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)

Leo Famulari <address@hidden> writes:

> On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
>> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
>> * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
>> (glibc-2.25-fixed): New variable.
>> (address@hidden, address@hidden, address@hidden, address@hidden)[source]: 
>> Add patches.
>> [replacement]: New field.
>> (glibc-locales)[replacement]: New field.
>> * gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New field.
>> * gnu/packages/patches/glibc-CVE-2017-1000366.patch,
>> gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch,
>> gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
> I've applied this patch to my Guix-on-foreign-distro workstation.
> Everything seems to be working so far.
> I noticed that grafted packages do not seem refer directly to the
> replacement glibc. For example:
> $ ./pre-inst-env guix build -e '(@@ (gnu packages base) glibc-2.25-patched)'
> /gnu/store/kczijfli8cb0qjyrfzbrd06bdrpic7lx-glibc-2.25-debug
> /gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25

I wouldn't expect them to.  Almost(?) nothing in Guix links to the
'glibc' in (gnu packages base), so I wouldn't expect them to link to its
replacement either.

Most packages are linked with 'glibc-final' in (gnu packages
commencement), and we should expect them to now be linked with *its*
replacement.  Try this to find the expected glibc-final replacement:

  ./pre-inst-env guix build -e '((@@ (guix packages) package-replacement) (@@ 
(gnu packages commencement) glibc-final))'

> By the way, Qualys will probably begin publishing their exploits on
> Tuesday [0]:

Thanks for the heads-up, and more generally to your prolific
contributions to security in Guix!


reply via email to

[Prev in Thread] Current Thread [Next in Thread]