bug#27429: Stack clash (CVE-2017-1000366 etc)

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#27429: Stack clash (CVE-2017-1000366 etc)

From:	Leo Famulari
Subject:	bug#27429: Stack clash (CVE-2017-1000366 etc)
Date:	Tue, 20 Jun 2017 09:16:21 -0400
User-agent:	Mutt/1.8.3 (2017-05-23)

On Tue, Jun 20, 2017 at 10:18:57AM +0300, Efraim Flashner wrote:
> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
> 
> * gnu/packages/base.scm (glibc)[replacement]: New field.
> (glibc-2.25-fixed): New variable.
> (address@hidden, address@hidden, address@hidden, address@hidden)[source]: Add 
> patch.
> [replacement]: New field.
> (glibc-locales)[replacement]: New field.
> * gnu/packages/commencement.scm (glibc-final-with-bootstrap-bash,
> cross-gcc-wrapper, glibc-final)[replacement]: New field.
> * gnu/packages/patches/glibc-CVE-2017-1000366.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.

I'm not sure which glibc packages should be grafted and which should
not. But this patch doesn't seem to have an effect for me. With the
patch applied:

$ ./pre-inst-env guix build glibc
/gnu/store/d13m5axwk9vra6r50rq5wlmvi4vmlfcf-glibc-2.25-debug
/gnu/store/yk29yl8088c8qbj2259mf3879r107dsa-glibc-2.25
$ guix gc --references $(./pre-inst-env guix build gnupg)
/gnu/store/3qz6h4fgjn7n0p6vhqbk0lpv6pil0gr7-pcsc-lite-1.8.22
/gnu/store/5c9hjca0fjn0wq0ycx3b1zzza1ra6crq-npth-1.4
/gnu/store/a8p0j9m2i9jh8pczv2rp4bvmidi026d1-libassuan-2.4.3
/gnu/store/dcc4b6r7npjmhdsah1g6nw1j9wdy635y-sqlite-3.17.0
/gnu/store/dhc2iy059hi91fk55dcv79z09kp6500y-gcc-5.4.0-lib
/gnu/store/g5iwy1hp055y3aipasfxnh7dfnigzi82-gnupg-2.1.21
/gnu/store/hag795ji8p9vqikwp8cibfibpsa39s3n-libgcrypt-1.7.6
/gnu/store/j92kxc1l8h879cc4ss1gbhsq73ddnbsg-libgpg-error-1.26
/gnu/store/jsflzpi7pnc7m5p7cln8bjcma4lsi6hd-gnutls-3.5.D
/gnu/store/jwkcd7siv6fcyl0qsg607bg9c8ap0gqr-zlib-1.2.11
/gnu/store/k7029k5va68lkapbzcycdzj7m5bjb4b8-bash-4.4.12
/gnu/store/rmjlycdgiq8pfy5hfi42qhw3k7p6kdav-glibc-2.25
/gnu/store/sjm2c0dymn3mjl7g0jqbjdbibnqh0iaw-readline-7.0
/gnu/store/xa7q8aspczcmvh0hqyy790mwzgwmfwr3-openldap-2.4.44
/gnu/store/z0xz1z70rwp273chi1gyb9cxzblylzba-libksba-1.3.5

The grafted glibc doesn't appear to be referenced.

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/19
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/19
  - bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/19
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/19
  - bug#27429: Stack clash (CVE-2017-1000366 etc), Efraim Flashner, 2017/06/20
    - bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari <=
    - bug#27429: Stack clash (CVE-2017-1000366 etc), Mark H Weaver, 2017/06/20
    - bug#27429: Stack clash (CVE-2017-1000366 etc), Efraim Flashner, 2017/06/21
    - bug#27429: Stack clash (CVE-2017-1000366 etc), Efraim Flashner, 2017/06/21
    - bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/21
    - bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/21
    - bug#27429: Stack clash (CVE-2017-1000366 etc), Mark H Weaver, 2017/06/22
    - bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/22
    - bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/22
    - bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/22
    - bug#27429: Stack clash (CVE-2017-1000366 etc), Ludovic Courtès, 2017/06/29

Prev by Date: bug#27429: Stack clash (CVE-2017-1000366 etc)
Next by Date: bug#27430: linux-libre 4.4.47 is no longer available upstream
Previous by thread: bug#27429: Stack clash (CVE-2017-1000366 etc)
Next by thread: bug#27429: Stack clash (CVE-2017-1000366 etc)
Index(es):
- Date
- Thread