Leo Famulari <l...@famulari.name> writes:
> On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
>> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
>>
>> * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
>> (glibc-2.25-fixed): New variable.
>> (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patches.
>> [replacement]: New field.
>> (glibc-locales)[replacement]: New field.
>> * gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New field.
>> * gnu/packages/patches/glibc-CVE-2017-1000366.patch,
>> gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch,
>> gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>
> I've applied this patch to my Guix-on-foreign-distro workstation.
> Everything seems to be working so far.
>
> I noticed that grafted packages do not seem refer directly to the
> replacement glibc. For example:
>
> $ ./pre-inst-env guix build -e '(@@ (gnu packages base) glibc-2.25-patched)'
> /gnu/store/kczijfli8cb0qjyrfzbrd06bdrpic7lx-glibc-2.25-debug
> /gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25
I wouldn't expect them to. Almost(?) nothing in Guix links to the
'glibc' in (gnu packages base), so I wouldn't expect them to link to its
replacement either.
Most packages are linked with 'glibc-final' in (gnu packages
commencement), and we should expect them to now be linked with *its*
replacement. Try this to find the expected glibc-final replacement:
./pre-inst-env guix build -e '((@@ (guix packages) package-replacement) (@@
(gnu packages commencement) glibc-final))'
> By the way, Qualys will probably begin publishing their exploits on
> Tuesday [0]:
Thanks for the heads-up, and more generally to your prolific
contributions to security in Guix!
Mark
