[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#50698] [PATCH] WIP patches for recently-known hurd security vulnera
|
From: |
Ludovic Courtès |
|
Subject: |
[bug#50698] [PATCH] WIP patches for recently-known hurd security vulnerabilities |
|
Date: |
Mon, 04 Oct 2021 15:52:27 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi Maxime,
Maxime Devos <maximedevos@telenet.be> skribis:
> I've tried to patch the glibc package for the problems noted at
> <https://lists.gnu.org/archive/html/bug-hurd/2021-08/msg00007.html>;.
>
> I've found two recent patches (glibc-hurd-proc-reauth.patch and
> glibc-hurd-sendmsg-SCM_CREDS.patch) that appeared relevant. I tried
> to patch our glibc package with those patches.
>
> The modified tarball builds fine for --system=x86_64-linux, but not
> for --system=i586-gnu (tested with ./pre-inst-env guix build hello
> --system=i586-gnu). Any idea what's happening here?
Thanks for looking into it!
> From cdf38fbfcba4c87777d7ba2175f08e877dafe86a Mon Sep 17 00:00:00 2001
> From: Maxime Devos <maximedevos@telenet.be>
> Date: Mon, 13 Sep 2021 11:23:21 +0200
> Subject: [PATCH] WIP gnu: glibc: New security patches.
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
>
> The existence of the vulnerabilities was noted at
> <https://lists.gnu.org/archive/html/bug-hurd/2021-08/msg00007.html>.
>
> TODO: check if these are all necessary packages for glibc.
> TODO: why does the glibc tarball build for --system=x86_64-linux but not
> for --system=i586-gnu?
>
> Build error:
> ‘patching file hurd/hurdinit.c
> Hunk #1 FAILED at 177.
> 1 out of 1 hunk FAILED -- saving rejects to file hurd/hurdinit.c.rej’
>
> but this file isn't modified by the new patches!
>
> * gnu/local.mk (dist_patch_DATA): Register new patches.
> * gnu/packages/base.scm (glibc)[replacement]: Register replacement.
> (glibc/fixed): New variable.
> * gnu/packages/patches/glibc-hurd-proc-reauth.patch: New file.
> * gnu/packages/patches/glibc-hurd-sendmsg-SCM_CREDS.patch.
[...]
> --- a/gnu/packages/base.scm
> +++ b/gnu/packages/base.scm
> @@ -706,6 +706,7 @@ the store.")
> (package
> (name "glibc")
> (version "2.31")
> + (replacement glibc/fixed)
> (source (origin
> (method url-fetch)
> (uri (string-append "mirror://gnu/glibc/glibc-" version
> ".tar.xz"))
> @@ -966,6 +967,12 @@ with the Linux kernel.")
> (license lgpl2.0+)
> (home-page "https://www.gnu.org/software/libc/";)))
>
> +(define glibc/fixed
> + (package-with-extra-patches
> + glibc
> + (search-patches "glibc-hurd-sendmsg-SCM_CREDS.patch"
> + "glibc-hurd-proc-reauth.patch")))
Instead of a replacement, which makes no sense on GNU/Linux, could you
add a conditional phase for (hurd-target?) that applies the patches?
(On ‘core-updates’ (or ‘-frozen’?) we will apply patches
unconditionally.)
Not answering your initial question, but maybe the problem will vanish
if you do things this way, who knows. :-)
> +++ b/gnu/packages/patches/glibc-hurd-proc-reauth.patch
> @@ -0,0 +1,114 @@
> +Index: glibc-2.31/hurd/hurdsig.c
Please add a comment explaining what this patch does, what its status
is, with a link to upstream discussions.
Thank you!
Ludo’.
- [bug#50698] [PATCH] WIP patches for recently-known hurd security vulnerabilities,
Ludovic Courtès <=