On Tue, Jun 20, 2017 at 10:18:57AM +0300, Efraim Flashner wrote: > Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366. > > * gnu/packages/base.scm (glibc)[replacement]: New field. > (glibc-2.25-fixed): New variable. > (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patch. > [replacement]: New field. > (glibc-locales)[replacement]: New field. > * gnu/packages/commencement.scm (glibc-final-with-bootstrap-bash, > cross-gcc-wrapper, glibc-final)[replacement]: New field. > * gnu/packages/patches/glibc-CVE-2017-1000366.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it.
I'm not sure which glibc packages should be grafted and which should not. But this patch doesn't seem to have an effect for me. With the patch applied: $ ./pre-inst-env guix build glibc /gnu/store/d13m5axwk9vra6r50rq5wlmvi4vmlfcf-glibc-2.25-debug /gnu/store/yk29yl8088c8qbj2259mf3879r107dsa-glibc-2.25 $ guix gc --references $(./pre-inst-env guix build gnupg) /gnu/store/3qz6h4fgjn7n0p6vhqbk0lpv6pil0gr7-pcsc-lite-1.8.22 /gnu/store/5c9hjca0fjn0wq0ycx3b1zzza1ra6crq-npth-1.4 /gnu/store/a8p0j9m2i9jh8pczv2rp4bvmidi026d1-libassuan-2.4.3 /gnu/store/dcc4b6r7npjmhdsah1g6nw1j9wdy635y-sqlite-3.17.0 /gnu/store/dhc2iy059hi91fk55dcv79z09kp6500y-gcc-5.4.0-lib /gnu/store/g5iwy1hp055y3aipasfxnh7dfnigzi82-gnupg-2.1.21 /gnu/store/hag795ji8p9vqikwp8cibfibpsa39s3n-libgcrypt-1.7.6 /gnu/store/j92kxc1l8h879cc4ss1gbhsq73ddnbsg-libgpg-error-1.26 /gnu/store/jsflzpi7pnc7m5p7cln8bjcma4lsi6hd-gnutls-3.5.D /gnu/store/jwkcd7siv6fcyl0qsg607bg9c8ap0gqr-zlib-1.2.11 /gnu/store/k7029k5va68lkapbzcycdzj7m5bjb4b8-bash-4.4.12 /gnu/store/rmjlycdgiq8pfy5hfi42qhw3k7p6kdav-glibc-2.25 /gnu/store/sjm2c0dymn3mjl7g0jqbjdbibnqh0iaw-readline-7.0 /gnu/store/xa7q8aspczcmvh0hqyy790mwzgwmfwr3-openldap-2.4.44 /gnu/store/z0xz1z70rwp273chi1gyb9cxzblylzba-libksba-1.3.5 The grafted glibc doesn't appear to be referenced.
signature.asc
Description: PGP signature
