On Thu, Jul 20, 2017 at 05:54:06PM +0200, Ludovic Courtès wrote:
> Leo Famulari skribis:
>
> > This is a place to discuss the "stack crash" bugs as they apply to our
> > packages.
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366
> > https://www.qualys.com/2017/06/19/stack-c
Leo Famulari skribis:
> This is a place to discuss the "stack crash" bugs as they apply to our
> packages.
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366
> https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
I think we can close this bug now, can’t we?
Ludo’.
Leo Famulari skribis:
> On Fri, Jun 30, 2017 at 12:27:57AM +0200, Ludovic Courtès wrote:
>> > -(native-inputs `(("pkg-config" ,pkg-config)))
>> > +(arguments
>> > + `(#:phases
>> > + (modify-phases %standard-phases
>> > + (add-before 'configure 'bootstrap
>> > +
On Fri, Jun 30, 2017 at 12:27:57AM +0200, Ludovic Courtès wrote:
> > -(native-inputs `(("pkg-config" ,pkg-config)))
> > +(arguments
> > + `(#:phases
> > + (modify-phases %standard-phases
> > + (add-before 'configure 'bootstrap
> > + (lambda _ (zero? (system* "aut
Leo Famulari skribis:
> On Thu, Jun 29, 2017 at 10:06:08PM +0200, Ludovic Courtès wrote:
>> Leo, let me know when you feel that we should start a new evaluation.
>
> First I want to ungraft today's libgcrypt and poppler replacements.
>
> I also want to apply the attached patch so we can stop usin
On Thu, Jun 29, 2017 at 10:06:08PM +0200, Ludovic Courtès wrote:
> Leo, let me know when you feel that we should start a new evaluation.
First I want to ungraft today's libgcrypt and poppler replacements.
I also want to apply the attached patch so we can stop using
libgcrypt-1.5 with Shishi, and
Mark H Weaver skribis:
> l...@gnu.org (Ludovic Courtès) writes:
>
>> As discussed yesterday on IRC, here’s a patch that applies the glibc
>> patches for CVE-2017-1000366 in ‘core-updates’.
>>
>> That’s a rebuild-the-world change but we still have work to do in
>> ‘core-updates’ anyway, notably re
l...@gnu.org (Ludovic Courtès) writes:
> As discussed yesterday on IRC, here’s a patch that applies the glibc
> patches for CVE-2017-1000366 in ‘core-updates’.
>
> That’s a rebuild-the-world change but we still have work to do in
> ‘core-updates’ anyway, notably regarding the Perl dot-in-@INC issu
Hello gentlefolks!
As discussed yesterday on IRC, here’s a patch that applies the glibc
patches for CVE-2017-1000366 in ‘core-updates’.
That’s a rebuild-the-world change but we still have work to do in
‘core-updates’ anyway, notably regarding the Perl dot-in-@INC issue.
OK for you?
Thanks,
Ludo
On Fri, Jun 23, 2017 at 01:20:38PM -0400, Leo Famulari wrote:
> By the way, Qualys will probably begin publishing their exploits on
> Tuesday [0]:
Here they are:
http://seclists.org/oss-sec/2017/q2/635
It would be good if we tested the relevant exploits against GuixSD.
signature.asc
Descriptio
Mark H Weaver skribis:
> Yes, I ran "guix pull" for user mhw on Hydra, and then asked it to build
> a grafted 'hello' for all three hydra-supported platforms. This
> entailed building a grafted 'glibc-final' as well as 'perl' and 'expat'.
> I then ran:
>
> guix challenge --substitute-urls=http
Hi Ludovic,
l...@gnu.org (Ludovic Courtès) writes:
> Mark H Weaver skribis:
>
>> I tried to copy the .drv files for the grafted 'glibc-final' and
>> 'glibc-final-with-bootstrap-bash' from my machine to Hydra, in order to
>> ask Hydra to build it, but both "guix copy" and "guix archive --export"
Hi Mark,
Mark H Weaver skribis:
> I tried to copy the .drv files for the grafted 'glibc-final' and
> 'glibc-final-with-bootstrap-bash' from my machine to Hydra, in order to
> ask Hydra to build it, but both "guix copy" and "guix archive --export"
> failed:
>
> mhw@jojen ~$ guix copy --to=hydra@h
I agree, let's wait for guidance from the upstream GCC and GLIBC developers.
Original Message
From: Marius Bakke
Sent: June 25, 2017 6:41:06 AM EDT
To: Danny Milosavljevic , 27...@debbugs.gnu.org
Subject: bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check
Danny Milosavljevic writes:
> Hi,
>
> what do you all think of rebuilding the world with "-fstack-check" (either
> now or later on) ?
>
> That would make gcc emit code to always grow the stack in a way that it
> certainly touches each 4 KiB (parametrizable by
> STACK_CHECK_PROBE_INTERVAL_EXP)
Hi,
what do you all think of rebuilding the world with "-fstack-check" (either now
or later on) ?
That would make gcc emit code to always grow the stack in a way that it
certainly touches each 4 KiB (parametrizable by STACK_CHECK_PROBE_INTERVAL_EXP)
page on the way.
I think that would be the
Mark H Weaver writes:
> Leo Famulari writes:
>
>> On Fri, Jun 23, 2017 at 02:36:41PM -0400, Mark H Weaver wrote:
>>> Most packages are linked with 'glibc-final' in (gnu packages
>>> commencement), and we should expect them to now be linked with *its*
>>> replacement. Try this to find the expect
Leo Famulari writes:
> On Fri, Jun 23, 2017 at 02:36:41PM -0400, Mark H Weaver wrote:
>> Most packages are linked with 'glibc-final' in (gnu packages
>> commencement), and we should expect them to now be linked with *its*
>> replacement. Try this to find the expected glibc-final replacement:
>>
On Fri, Jun 23, 2017 at 02:36:41PM -0400, Mark H Weaver wrote:
> Most packages are linked with 'glibc-final' in (gnu packages
> commencement), and we should expect them to now be linked with *its*
> replacement. Try this to find the expected glibc-final replacement:
>
> ./pre-inst-env guix buil
Leo Famulari writes:
> On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
>> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
>>
>> * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
>> (glibc-2.25-fixed): New variable.
>> (glibc@2.24, glibc@2.23, glibc@2.22, glibc@
On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
>
> * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
> (glibc-2.25-fixed): New variable.
> (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patches.
>
On Thu, Jun 22, 2017 at 02:34:21PM -0400, Leo Famulari wrote:
> It's building stuff, but it downloaded several parts of the bootstrap
> (gettext-boot0, perl-boot0, etc) and is now building the base packages
> of the distribution (perl, etc).
>
> So, I'm skeptical that it's grafting in the way we n
On Thu, Jun 22, 2017 at 12:17:37PM -0400, Leo Famulari wrote:
> On Thu, Jun 22, 2017 at 02:44:11AM -0400, Mark H Weaver wrote:
> > Leo Famulari writes:
> > > Hm, I noticed the bootstrap binaries being downloaded, so I don't think
> > > this patch applies the graft without causing a full rebuild.
>
On Thu, Jun 22, 2017 at 02:44:11AM -0400, Mark H Weaver wrote:
> Leo Famulari writes:
> > Hm, I noticed the bootstrap binaries being downloaded, so I don't think
> > this patch applies the graft without causing a full rebuild.
>
> It's likely that this is because of the new behavior of Hydra, whe
Leo Famulari writes:
> On Wed, Jun 21, 2017 at 07:52:27PM -0400, Leo Famulari wrote:
>> On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
>> > Had to make a small change to the patch, it turns out it couldn't build
>> > the source for glibc@2.21, so I changed the source to inherit
On Wed, Jun 21, 2017 at 07:52:27PM -0400, Leo Famulari wrote:
> On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
> > Had to make a small change to the patch, it turns out it couldn't build
> > the source for glibc@2.21, so I changed the source to inherit from
> > glibc@2.22 and not
On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
> Had to make a small change to the patch, it turns out it couldn't build
> the source for glibc@2.21, so I changed the source to inherit from
> glibc@2.22 and not just from glibc. It doesn't change anything for the
> actual glibc@2.2
Had to make a small change to the patch, it turns out it couldn't build
the source for glibc@2.21, so I changed the source to inherit from
glibc@2.22 and not just from glibc. It doesn't change anything for the
actual glibc@2.25.
--
Efraim Flashner אפרים פלשנר
GPG key = A28B F40C 3E55 1372 66
On Tue, Jun 20, 2017 at 05:44:42PM -0400, Mark H Weaver wrote:
> Hi Efraim,
>
> Thanks so much for working on this!
>
> Grafting glibc is something we haven't done before to my knowledge, and
> it is a bit tricky because of all of the inherited versions of glibc.
> At present, those inherited ver
Hi Efraim,
Thanks so much for working on this!
Grafting glibc is something we haven't done before to my knowledge, and
it is a bit tricky because of all of the inherited versions of glibc.
At present, those inherited versions are not expressed in such a way to
make grafting work.
One important t
On Tue, Jun 20, 2017 at 10:18:57AM +0300, Efraim Flashner wrote:
> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
>
> * gnu/packages/base.scm (glibc)[replacement]: New field.
> (glibc-2.25-fixed): New variable.
> (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patch.
> [replace
On Mon, Jun 19, 2017 at 08:49:20PM -0400, Leo Famulari wrote:
> On the glibc bugs (CVE-2016-1000366), civodul said:
>
> [21:02:26] lfam: i *think* GuixSD is immune to the
> LD_LIBRARY_PATH one, FWIW
> [...]
> [21:02:43] lfam: because of the way is_trusted_path works
> in glib
Leo Famulari writes:
> This is a place to discuss the "stack crash" bugs as they apply to our
> packages.
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366
> https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
I pushed commit 91c623aae0f10992aa46957b9072679534e4cd28 w
On the glibc bugs (CVE-2016-1000366), civodul said:
[21:02:26] lfam: i *think* GuixSD is immune to the
LD_LIBRARY_PATH one, FWIW
[...]
[21:02:43] lfam: because of the way is_trusted_path works
in glibc
https://gnunet.org/bot/log/guix/2017-06-19#T1422600
Relevant upstrea
On Mon, Jun 19, 2017 at 07:05:10PM -0400, Leo Famulari wrote:
> I'm currently testing the patch for CVE-2017-1000369 in Exim:
>
> https://git.exim.org/exim.git/commit/65e061b76867a9ea7aeeb535341b790b90ae6c21
>
> "To reach the start of the stack with the end of the heap (man brk), we
> permanently
I'm currently testing the patch for CVE-2017-1000369 in Exim:
https://git.exim.org/exim.git/commit/65e061b76867a9ea7aeeb535341b790b90ae6c21
"To reach the start of the stack with the end of the heap (man brk), we
permanently leak memory through multiple -p command-line arguments that
are malloc()a
This is a place to discuss the "stack crash" bugs as they apply to our
packages.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
signature.asc
Description: PGP signature
37 matches
Mail list logo
