GNU bug report logs - #29000
[PATCH] gnu: glibc: Ungraft fix for CVE-2017-15670, CVE-2017-15671.

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Wed, 25 Oct 2017 18:57:02 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 29000 in the body.
You can then email your comments to 29000 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to guix-patches <at> gnu.org:
bug#29000; Package guix-patches. (Wed, 25 Oct 2017 18:57:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Wed, 25 Oct 2017 18:57:03 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: glibc: Ungraft fix for CVE-2017-15670, CVE-2017-15671.
Date: Wed, 25 Oct 2017 14:56:07 -0400
* gnu/packages/base.scm (glibc)[replacement]: Remove field.
[source]: Add 'glibc-CVE-2017-15670-15671.patch'.
(glibc/fixed): Remove variable.
---
 gnu/packages/base.scm | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 9cb628d8d..e1826f57b 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -528,7 +528,6 @@ store.")
   (package
    (name "glibc")
    (version "2.25")
-   (replacement glibc/fixed)
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/glibc/glibc-"
@@ -549,6 +548,7 @@ store.")
                                      "glibc-o-largefile.patch"
                                      "glibc-memchr-overflow-i686.patch"
                                      "glibc-vectorized-strcspn-guards.patch"
+                                     "glibc-CVE-2017-15670-15671.patch"
                                      "glibc-CVE-2017-1000366-pt1.patch"
                                      "glibc-CVE-2017-1000366-pt2.patch"
                                      "glibc-CVE-2017-1000366-pt3.patch"))))
@@ -787,15 +787,6 @@ GLIBC/HURD for a Hurd host"
 (define-syntax glibc
   (identifier-syntax (glibc-for-target)))
 
-(define glibc/fixed
-  (package
-    (inherit glibc)
-    (source (origin
-              (inherit (package-source glibc))
-              (patches (append
-                        (origin-patches (package-source glibc))
-                        (search-patches "glibc-CVE-2017-15670-15671.patch")))))))
-
 ;; Below are old libc versions, which we use mostly to build locale data in
 ;; the old format (which the new libc cannot cope with.)
 
-- 
2.14.3





Information forwarded to guix-patches <at> gnu.org:
bug#29000; Package guix-patches. (Wed, 25 Oct 2017 19:05:02 GMT) Full text and rfc822 format available.

Message #8 received at 29000 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 29000 <at> debbugs.gnu.org
Subject: Ungrafting glibc?
Date: Wed, 25 Oct 2017 15:04:28 -0400
[Message part 1 (text/plain, inline)]
It would be nice to ungraft glibc soon, in my opinion.

Grafting the entire distribution causes some user experience issues that
many of us are used to, but that are not really that great, especially
for new users.

The issue is build farm capacity.

I wonder how long it takes to rebuild everything for Intel-compatible
systems on berlin.guixsd.org?

Maybe fast enough that rebuilding the world for this change would not
disrupt Guix development too much... except that rebuilding the world
for armhf would take a very long time, during which we could not be
building the other regular changes for armhf.

Ideas and discussion welcome!
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches <at> gnu.org:
bug#29000; Package guix-patches. (Thu, 26 Oct 2017 22:33:02 GMT) Full text and rfc822 format available.

Message #11 received at 29000 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 29000 <at> debbugs.gnu.org
Subject: Re: [bug#29000] Ungrafting glibc?
Date: Thu, 26 Oct 2017 15:32:45 -0700
Hello!

Leo Famulari <leo <at> famulari.name> skribis:

> It would be nice to ungraft glibc soon, in my opinion.

Yes.  I think if you do that in ‘core-updates’, we can start building
it; it’s long overdue anyway.  How does that sound?

> Grafting the entire distribution causes some user experience issues that
> many of us are used to, but that are not really that great, especially
> for new users.

Honestly, I feel that this bad user experience is a shame, and fixing it
is among my priorities.  It should be possible to have grafts without
their current negative effects on the UI.

> The issue is build farm capacity.

Yes, though even with infinite build farm capacity, we wouldn’t want to
force people to rebuild/redownload the world too often.

That said…

> I wonder how long it takes to rebuild everything for Intel-compatible
> systems on berlin.guixsd.org?

Good question.  An interesting project would be to measure latency
between push date and substitute availability date, for instance.

berlin is pretty powerful now, so now we should see whether ‘guix
offload’ incurs too much overhead.

> Maybe fast enough that rebuilding the world for this change would not
> disrupt Guix development too much... except that rebuilding the world
> for armhf would take a very long time, during which we could not be
> building the other regular changes for armhf.

Yes, that’s another problem, but I hope we’ll alleviate it soon by
buying ARM machines.

Ludo’.




Information forwarded to guix-patches <at> gnu.org:
bug#29000; Package guix-patches. (Thu, 26 Oct 2017 22:34:02 GMT) Full text and rfc822 format available.

Message #14 received at 29000 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 29000 <at> debbugs.gnu.org
Subject: Re: [bug#29000] [PATCH] gnu: glibc: Ungraft fix for CVE-2017-15670,
 CVE-2017-15671.
Date: Thu, 26 Oct 2017 15:33:14 -0700
Leo Famulari <leo <at> famulari.name> skribis:

> * gnu/packages/base.scm (glibc)[replacement]: Remove field.
> [source]: Add 'glibc-CVE-2017-15670-15671.patch'.
> (glibc/fixed): Remove variable.

OK for core-updates, thanks!




bug closed, send any further explanations to 29000 <at> debbugs.gnu.org and Leo Famulari <leo <at> famulari.name> Request was from Leo Famulari <leo <at> famulari.name> to control <at> debbugs.gnu.org. (Fri, 01 Feb 2019 12:46:03 GMT) Full text and rfc822 format available.

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 02 Mar 2019 12:24:04 GMT) Full text and rfc822 format available.

This bug report was last modified 5 years and 28 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.