[bug#46959] [PATCH 0/1] WIP: gnu: newlib: Fix CVE-2021-3420.

[Christopher Baines]

Léo Le Bouter via Guix-patches via <guix-patches@gnu.org> writes:

> newlib-CVE-2021-3420.patch needs backporting to the versions of newlib it is
> being applied to, so if you are interested or a user of those packages please
> finish the work, otherwise well CVE-2021-3420 will probably remain unfixed.
>
> The versions of newlib are too old and too specific for it to be
> maintainable security-wise, especially considering upstream does not seem to
> maintain older versions at all. I don't think GNU Guix should take that role,
> but of course the people who depend on these packages can ensure they are good
> enough for themselves, otherwise contribute changes.
>
> Léo Le Bouter (1):
>   gnu: newlib: Fix CVE-2021-3420.
>
>  gnu/local.mk                                  |   1 +
>  gnu/packages/embedded.scm                     |   6 +-
>  .../patches/newlib-CVE-2021-3420.patch        | 105 ++++++++++++++++++
>  3 files changed, 110 insertions(+), 2 deletions(-)
>  create mode 100644 gnu/packages/patches/newlib-CVE-2021-3420.patch

Hey,

Looking at [1] and following through the "View comparison" links, it
seems that there's some problems applying the patch added here, I can't
see a case where it's applied successfully.

1: 
20210306050521.11571-1-lle-bout@zaclys.net/">https://patches.guix-patches.cbaines.net/project/guix-patches/patch/20210306050521.11571-1-lle-bout@zaclys.net/

Unfortunately this data is still a bit hidden, but if you click on
"Compare package derivations", get all the results, then find
newlib@3.0.0-0.3ccfb40 and look at the build for x86_64-linux, you
should get to this page [2] and from the "Required failed builds", I'm
guessing the source part of the package build has failed.

2: 
https://data.guix-patches.cbaines.net/build-server/5/build?build_server_build_id=dd289414-7653-4b63-8b3c-7a55cdf55820

Any ideas? What packages should build with this change?

Thanks,

Chris

signature.asc
Description: PGP signature