[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#27429: Stack clash (CVE-2017-1000366 etc)
From: |
Mark H Weaver |
Subject: |
bug#27429: Stack clash (CVE-2017-1000366 etc) |
Date: |
Sat, 24 Jun 2017 03:11:25 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) |
Mark H Weaver <address@hidden> writes:
> Leo Famulari <address@hidden> writes:
>
>> On Fri, Jun 23, 2017 at 02:36:41PM -0400, Mark H Weaver wrote:
>>> Most packages are linked with 'glibc-final' in (gnu packages
>>> commencement), and we should expect them to now be linked with *its*
>>> replacement. Try this to find the expected glibc-final replacement:
>>>
>>> ./pre-inst-env guix build -e '((@@ (guix packages) package-replacement)
>>> (@@ (gnu packages commencement) glibc-final))'
>>
>> Thank you for the clarification. Indeed, with Efraim's latest patch,
>> packages seem to be referring to the replacement for glibc-final.
>
> That's good news!
>
>> So, do we think this patch is ready to apply? AFAIK, nobody has yet
>> tried upgrading a GuixSD system with this patch. I won't have access to
>> my bare-metal GuixSD system for the next few days.
>
> I think someone should try reconfiguring their GuixSD system and booting
> into it before we apply it to master. I might be able to do it tonight,
> or else I can do it tomorrow.
I made some minor cleanups to the patch, split it up into multiple
patches, and upgraded my GuixSD system to use it. My system seems to
work fine. I don't have time right now to verify that the grafting is
being done correctly, but I went ahead and pushed the commits to
'master' anyway, based on Leo's preliminary observations.
I'm dubious about the changes made to glibc-2.21, but that can be fixed
up later.
I tried to copy the .drv files for the grafted 'glibc-final' and
'glibc-final-with-bootstrap-bash' from my machine to Hydra, in order to
ask Hydra to build it, but both "guix copy" and "guix archive --export"
failed:
--8<---------------cut here---------------start------------->8---
address@hidden ~$ guix copy address@hidden
/gnu/store/17gcwll4a2y3cjk8jf3fg2gr105m9f4i-glibc-2.25.drv
/gnu/store/78j5arbcgjfbj0m91fn6p5s71kz7w2yw-glibc-2.25.drv
sending 11 store items to 'localhost'...
guix copy: error: corrupt input while restoring archive from #<closed: file
231bbd0>
address@hidden ~$ guix archive --export
/gnu/store/17gcwll4a2y3cjk8jf3fg2gr105m9f4i-glibc-2.25.drv
/gnu/store/78j5arbcgjfbj0m91fn6p5s71kz7w2yw-glibc-2.25.drv >
GRAFTED-GLIBC-DRVS.nar
guix archive: error: corrupt input while restoring archive from #<closed: file
17e9d20>
--8<---------------cut here---------------end--------------->8---
I'm concerned that i686 and armhf users are going to have a rude
awakening when they not only have to build two variants of glibc, but
also a bunch of the early bootstrap because the NARs are not available
on Hydra. It would be good if someone could take care of that.
I'm sorry, but I need to sleep now. Hopefully someone else can take it
from here.
Mark
- bug#27429: Stack clash (CVE-2017-1000366 etc), (continued)
- bug#27429: Stack clash (CVE-2017-1000366 etc), Ludovic Courtès, 2017/06/29
- bug#27429: Stack clash (CVE-2017-1000366 etc), Mark H Weaver, 2017/06/29
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/23
- bug#27429: Stack clash (CVE-2017-1000366 etc), Mark H Weaver, 2017/06/23
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/23
- bug#27429: Stack clash (CVE-2017-1000366 etc), Mark H Weaver, 2017/06/23
- bug#27429: Stack clash (CVE-2017-1000366 etc),
Mark H Weaver <=
- bug#27429: Stack clash (CVE-2017-1000366 etc), Ludovic Courtès, 2017/06/26
- bug#27429: Stack clash (CVE-2017-1000366 etc), Mark H Weaver, 2017/06/26
- bug#27429: Stack clash (CVE-2017-1000366 etc), Ludovic Courtès, 2017/06/27
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/28
bug#27429: Stack clash (CVE-2017-1000366 etc), Mark H Weaver, 2017/06/19
bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check, Danny Milosavljevic, 2017/06/25