bug#27429: Stack clash (CVE-2017-1000366 etc)

[Mark H Weaver]

Leo Famulari <address@hidden> writes:

> On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
>> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
>> 
>> * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
>> (glibc-2.25-fixed): New variable.
>> (address@hidden, address@hidden, address@hidden, address@hidden)[source]: 
>> Add patches.
>> [replacement]: New field.
>> (glibc-locales)[replacement]: New field.
>> * gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New field.
>> * gnu/packages/patches/glibc-CVE-2017-1000366.patch,
>> gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch,
>> gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>
> I've applied this patch to my Guix-on-foreign-distro workstation.
> Everything seems to be working so far.
>
> I noticed that grafted packages do not seem refer directly to the
> replacement glibc. For example:
>
> $ ./pre-inst-env guix build -e '(@@ (gnu packages base) glibc-2.25-patched)'
> /gnu/store/kczijfli8cb0qjyrfzbrd06bdrpic7lx-glibc-2.25-debug
> /gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25

I wouldn't expect them to.  Almost(?) nothing in Guix links to the
'glibc' in (gnu packages base), so I wouldn't expect them to link to its
replacement either.

Most packages are linked with 'glibc-final' in (gnu packages
commencement), and we should expect them to now be linked with *its*
replacement.  Try this to find the expected glibc-final replacement:

  ./pre-inst-env guix build -e '((@@ (guix packages) package-replacement) (@@ 
(gnu packages commencement) glibc-final))'

> By the way, Qualys will probably begin publishing their exploits on
> Tuesday [0]:

Thanks for the heads-up, and more generally to your prolific
contributions to security in Guix!

      Mark