bug#27429: Stack clash (CVE-2017-1000366 etc)

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#27429: Stack clash (CVE-2017-1000366 etc)

From:	Leo Famulari
Subject:	bug#27429: Stack clash (CVE-2017-1000366 etc)
Date:	Fri, 23 Jun 2017 13:20:38 -0400
User-agent:	Mutt/1.8.3 (2017-05-23)

On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
> 
> * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
> (glibc-2.25-fixed): New variable.
> (address@hidden, address@hidden, address@hidden, address@hidden)[source]: Add 
> patches.
> [replacement]: New field.
> (glibc-locales)[replacement]: New field.
> * gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New field.
> * gnu/packages/patches/glibc-CVE-2017-1000366.patch,
> gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch,
> gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.

I've applied this patch to my Guix-on-foreign-distro workstation.
Everything seems to be working so far.

I noticed that grafted packages do not seem refer directly to the
replacement glibc. For example:

$ ./pre-inst-env guix build -e '(@@ (gnu packages base) glibc-2.25-patched)'
/gnu/store/kczijfli8cb0qjyrfzbrd06bdrpic7lx-glibc-2.25-debug
/gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25
$ guix gc --references /gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25
/gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25
/gnu/store/946hwcxnd9w13gyqprs0fzkmyyz4hdar-bash-static-4.4.12
/gnu/store/n4fmp3fj1yam5ijwa64irg7glvzsq4i1-bash-4.4.12
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
$ guix gc --references $(./pre-inst-env guix build libressl)
/gnu/store/7ahy5yw88wq1fg1lmr84vy958sgzgp5g-libressl-2.5.4
/gnu/store/p8k2id55pynzjmaixlns94phvr7mz5ls-gcc-5.4.0-lib
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25

However, I haven't had time to dig in and wrap my head around the glibc
packages.

By the way, Qualys will probably begin publishing their exploits on
Tuesday [0]:

"We have discussed this internally, and we will first publish the Stack
Clash exploits and proofs-of-concepts that we sent to the distros@ and
linux-distros@ lists, plus our Linux ld.so exploit for amd64, and our
Solaris rsh exploit.

We will do so next Tuesday, but we will publish our Linux exploits and
proofs-of-concept if and only if Fedora updates are ready by then, our
NetBSD proof-of-concept if and only if NetBSD patches are ready by then,
and our FreeBSD proofs-of-concept if and only if FreeBSD patches are
ready by then."

[0] <http://seclists.org/oss-sec/2017/q2/548>

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

bug#27429: Stack clash (CVE-2017-1000366 etc), (continued)
- bug#27429: Stack clash (CVE-2017-1000366 etc), Mark H Weaver, 2017/06/19
- bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check, Danny Milosavljevic, 2017/06/25

Prev by Date: bug#27463: OCaml CVE-2017-9772
Next by Date: bug#27429: Stack clash (CVE-2017-1000366 etc)
Previous by thread: bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)]
Next by thread: bug#27429: Stack clash (CVE-2017-1000366 etc)
Index(es):
- Date
- Thread