[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#27429: Stack clash (CVE-2017-1000366 etc)
From: |
Mark H Weaver |
Subject: |
bug#27429: Stack clash (CVE-2017-1000366 etc) |
Date: |
Fri, 23 Jun 2017 14:36:41 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) |
Leo Famulari <address@hidden> writes:
> On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
>> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
>>
>> * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
>> (glibc-2.25-fixed): New variable.
>> (address@hidden, address@hidden, address@hidden, address@hidden)[source]:
>> Add patches.
>> [replacement]: New field.
>> (glibc-locales)[replacement]: New field.
>> * gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New field.
>> * gnu/packages/patches/glibc-CVE-2017-1000366.patch,
>> gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch,
>> gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>
> I've applied this patch to my Guix-on-foreign-distro workstation.
> Everything seems to be working so far.
>
> I noticed that grafted packages do not seem refer directly to the
> replacement glibc. For example:
>
> $ ./pre-inst-env guix build -e '(@@ (gnu packages base) glibc-2.25-patched)'
> /gnu/store/kczijfli8cb0qjyrfzbrd06bdrpic7lx-glibc-2.25-debug
> /gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25
I wouldn't expect them to. Almost(?) nothing in Guix links to the
'glibc' in (gnu packages base), so I wouldn't expect them to link to its
replacement either.
Most packages are linked with 'glibc-final' in (gnu packages
commencement), and we should expect them to now be linked with *its*
replacement. Try this to find the expected glibc-final replacement:
./pre-inst-env guix build -e '((@@ (guix packages) package-replacement) (@@
(gnu packages commencement) glibc-final))'
> By the way, Qualys will probably begin publishing their exploits on
> Tuesday [0]:
Thanks for the heads-up, and more generally to your prolific
contributions to security in Guix!
Mark
- bug#27429: Stack clash (CVE-2017-1000366 etc), (continued)
- bug#27429: Stack clash (CVE-2017-1000366 etc), Mark H Weaver, 2017/06/20
- bug#27429: Stack clash (CVE-2017-1000366 etc), Efraim Flashner, 2017/06/21
- bug#27429: Stack clash (CVE-2017-1000366 etc), Efraim Flashner, 2017/06/21
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/21
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/21
- bug#27429: Stack clash (CVE-2017-1000366 etc), Mark H Weaver, 2017/06/22
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/22
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/22
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/22
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/23
- bug#27429: Stack clash (CVE-2017-1000366 etc),
Mark H Weaver <=
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/23
- bug#27429: Stack clash (CVE-2017-1000366 etc), Mark H Weaver, 2017/06/23
- bug#27429: Stack clash (CVE-2017-1000366 etc), Mark H Weaver, 2017/06/24
- bug#27429: Stack clash (CVE-2017-1000366 etc), Ludovic Courtès, 2017/06/26
- bug#27429: Stack clash (CVE-2017-1000366 etc), Mark H Weaver, 2017/06/26
- bug#27429: Stack clash (CVE-2017-1000366 etc), Ludovic Courtès, 2017/06/27
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/28
bug#27429: Stack clash (CVE-2017-1000366 etc), Mark H Weaver, 2017/06/19
bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check, Danny Milosavljevic, 2017/06/25