[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#27429: Stack clash (CVE-2017-1000366 etc)

From: Leo Famulari
Subject: bug#27429: Stack clash (CVE-2017-1000366 etc)
Date: Fri, 23 Jun 2017 14:54:48 -0400
User-agent: Mutt/1.8.3 (2017-05-23)

On Fri, Jun 23, 2017 at 02:36:41PM -0400, Mark H Weaver wrote:
> Most packages are linked with 'glibc-final' in (gnu packages
> commencement), and we should expect them to now be linked with *its*
> replacement.  Try this to find the expected glibc-final replacement:
>   ./pre-inst-env guix build -e '((@@ (guix packages) package-replacement) (@@ 
> (gnu packages commencement) glibc-final))'

Thank you for the clarification. Indeed, with Efraim's latest patch,
packages seem to be referring to the replacement for glibc-final.

So, do we think this patch is ready to apply? AFAIK, nobody has yet
tried upgrading a GuixSD system with this patch. I won't have access to
my bare-metal GuixSD system for the next few days.

> > By the way, Qualys will probably begin publishing their exploits on
> > Tuesday [0]:
> Thanks for the heads-up, and more generally to your prolific
> contributions to security in Guix!

Thank you for your advice and guidance, and to Efraim for taking the
lead on fixing this bug!

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]