06/06: gnu: glibc: Graft with fix for CVE-2024-2961.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

06/06: gnu: glibc: Graft with fix for CVE-2024-2961.

From:	guix-commits
Subject:	06/06: gnu: glibc: Graft with fix for CVE-2024-2961.
Date:	Wed, 18 Dec 2024 02:28:45 -0500 (EST)

apteryx pushed a commit to branch master
in repository guix.

commit 78c4d00ab02ab41a22058cdbec0329752e47580f
Author: Maxim Cournoyer <maxim.cournoyer@gmail.com>
AuthorDate: Sat Dec 14 22:52:22 2024 +0900

    gnu: glibc: Graft with fix for CVE-2024-2961.
    
    * gnu/packages/base.scm (%glibc-patches): New variable.
    (glibc) [source]: Use it.
    [properties]: Mark CVE-2024-2961 as hidden (resolved).
    [replacement]: Add field to graft with...
    (glibc/fixed): ... this new package.
    
    Fixes: <https://issues.guix.gnu.org/70581>
    Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9
---
 gnu/packages/base.scm | 55 ++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 41 insertions(+), 14 deletions(-)

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 87c7568ef2..4639050623 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -878,6 +878,21 @@ the store.")
     (home-page "https://www.gnu.org/software/guix//";)
     (license gpl3+)))
 
+(define %glibc-patches
+  (list "glibc-2.39-git-updates.patch"
+        "glibc-ldd-powerpc.patch"
+        "glibc-2.38-ldd-x86_64.patch"
+        "glibc-dl-cache.patch"
+        "glibc-2.37-versioned-locpath.patch"
+        ;; "glibc-allow-kernel-2.6.32.patch"
+        "glibc-reinstate-prlimit64-fallback.patch"
+        "glibc-supported-locales.patch"
+        "glibc-2.37-hurd-clock_t_centiseconds.patch"
+        "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch"
+        "glibc-hurd-mach-print.patch"
+        "glibc-hurd-gettyent.patch"
+        "glibc-hurd-getauxval.patch"))
+
 (define-public glibc
   ;; This is the GNU C Library, used on GNU/Linux and GNU/Hurd.  Prior to
   ;; version 2.28, GNU/Hurd used a different glibc branch.
@@ -890,21 +905,11 @@ the store.")
             (sha256
              (base32
               "09nrwb0ksbah9k35jchd28xxp2hidilqdgz7b8v5f30pz1yd8yzp"))
-            (patches (search-patches "glibc-2.39-git-updates.patch"
-                                     "glibc-ldd-powerpc.patch"
-                                     "glibc-2.38-ldd-x86_64.patch"
-                                     "glibc-dl-cache.patch"
-                                     "glibc-2.37-versioned-locpath.patch"
-                                     ;; "glibc-allow-kernel-2.6.32.patch"
-                                     "glibc-reinstate-prlimit64-fallback.patch"
-                                     "glibc-supported-locales.patch"
-                                     
"glibc-2.37-hurd-clock_t_centiseconds.patch"
-                                     
"glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch"
-                                     "glibc-hurd-mach-print.patch"
-                                     "glibc-hurd-gettyent.patch"
-                                     "glibc-hurd-getauxval.patch"))))
-   (properties `((lint-hidden-cve . ("CVE-2024-33601" "CVE-2024-33602"
+            (patches (map search-patch %glibc-patches))))
+   (properties `((lint-hidden-cve . ("CVE-2024-2961"
+                                     "CVE-2024-33601" "CVE-2024-33602"
                                      "CVE-2024-33600" "CVE-2024-33599"))))
+   (replacement glibc/fixed)
    (build-system gnu-build-system)
 
    ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
@@ -1182,6 +1187,28 @@ with the Linux kernel.")
    (license lgpl2.0+)
    (home-page "https://www.gnu.org/software/libc/";)))
 
+(define glibc/fixed
+  (package
+    (inherit glibc)
+    (name "glibc")
+    (version (package-version glibc))
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "git://sourceware.org/git/glibc.git")
+                    ;; This is the latest commit from the
+                    ;; 'release/2.39/master' branch, where CVEs and other
+                    ;; important bug fixes are cherry picked.
+                    (commit "2c882bf9c15d206aaf04766d1b8e3ae5b1002cc2")))
+              (file-name (git-file-name name version))
+              (sha256
+               (base32
+                "111yf24g0qcfcxywfzrilmjxysahlbkzxfimcz9rq8p00qzvvf51"))
+              (patches (map search-patch
+                            (fold (cut delete <...>)
+                                  %glibc-patches
+                                  '("glibc-2.39-git-updates.patch"))))))))
+
 ;; Define a variation of glibc which uses the default /etc/ld.so.cache, useful
 ;; in FHS containers.
 (define-public glibc-for-fhs

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (0a5b060be1 -> 78c4d00ab0), guix-commits, 2024/12/18
- 01/06: scripts/substitute: Refine 'updating substitutes' message., guix-commits, 2024/12/18
- 06/06: gnu: glibc: Graft with fix for CVE-2024-2961., guix-commits <=
- 03/06: gnu: openpmix: Fix indentation., guix-commits, 2024/12/18
- 04/06: gnu: openpmix: Do not install HTML documentation., guix-commits, 2024/12/18
- 05/06: gnu: openmpi-5: Streamline source and do not install HTML doc., guix-commits, 2024/12/18
- 02/06: gnu: openpmix: Enable Python bindings., guix-commits, 2024/12/18

Prev by Date: 01/06: scripts/substitute: Refine 'updating substitutes' message.
Next by Date: 03/06: gnu: openpmix: Fix indentation.
Previous by thread: 01/06: scripts/substitute: Refine 'updating substitutes' message.
Next by thread: 03/06: gnu: openpmix: Fix indentation.
Index(es):
- Date
- Thread