GNU bug report logs -
#29490
[PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671."
Previous Next
Reported by: Marius Bakke <mbakke <at> fastmail.com>
Date: Tue, 28 Nov 2017 17:10:02 UTC
Severity: normal
Tags: patch
Done: Marius Bakke <mbakke <at> fastmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 29490 in the body.
You can then email your comments to 29490 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#29490; Package
guix-patches.
(Tue, 28 Nov 2017 17:10:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Marius Bakke <mbakke <at> fastmail.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Tue, 28 Nov 2017 17:10:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
These issues has been classified as minor by Debian:
https://security-tracker.debian.org/tracker/CVE-2017-15670
https://security-tracker.debian.org/tracker/CVE-2017-15671
...and is not worth the cost of grafting and maintaining this patch.
This reverts commit 60e29339d8389e678bb9ca4bd3420ee9ee88bdf2.
---
gnu/local.mk | 1 -
gnu/packages/base.scm | 13 -----------
.../patches/glibc-CVE-2017-15670-15671.patch | 27 ----------------------
3 files changed, 41 deletions(-)
delete mode 100644 gnu/packages/patches/glibc-CVE-2017-15670-15671.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 0a46bfd3d..7b2fb7c7a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -682,7 +682,6 @@ dist_patch_DATA = \
%D%/packages/patches/glibc-CVE-2017-1000366-pt1.patch \
%D%/packages/patches/glibc-CVE-2017-1000366-pt2.patch \
%D%/packages/patches/glibc-CVE-2017-1000366-pt3.patch \
- %D%/packages/patches/glibc-CVE-2017-15670-15671.patch \
%D%/packages/patches/glibc-bootstrap-system.patch \
%D%/packages/patches/glibc-ldd-x86_64.patch \
%D%/packages/patches/glibc-locales.patch \
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 9cb628d8d..bc745351a 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -528,7 +528,6 @@ store.")
(package
(name "glibc")
(version "2.25")
- (replacement glibc/fixed)
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/glibc/glibc-"
@@ -787,15 +786,6 @@ GLIBC/HURD for a Hurd host"
(define-syntax glibc
(identifier-syntax (glibc-for-target)))
-(define glibc/fixed
- (package
- (inherit glibc)
- (source (origin
- (inherit (package-source glibc))
- (patches (append
- (origin-patches (package-source glibc))
- (search-patches "glibc-CVE-2017-15670-15671.patch")))))))
-
;; Below are old libc versions, which we use mostly to build locale data in
;; the old format (which the new libc cannot cope with.)
@@ -815,7 +805,6 @@ GLIBC/HURD for a Hurd host"
"glibc-o-largefile.patch"
"glibc-vectorized-strcspn-guards.patch"
"glibc-CVE-2015-5180.patch"
- "glibc-CVE-2017-15670-15671.patch"
"glibc-CVE-2017-1000366-pt1.patch"
"glibc-CVE-2017-1000366-pt2.patch"
"glibc-CVE-2017-1000366-pt3.patch"))))))
@@ -839,7 +828,6 @@ GLIBC/HURD for a Hurd host"
"glibc-CVE-2016-3075.patch"
"glibc-CVE-2016-3706.patch"
"glibc-CVE-2016-4429.patch"
- "glibc-CVE-2017-15670-15671.patch"
"glibc-CVE-2017-1000366-pt1.patch"
"glibc-CVE-2017-1000366-pt2.patch"
"glibc-CVE-2017-1000366-pt3.patch"))))))
@@ -862,7 +850,6 @@ GLIBC/HURD for a Hurd host"
"glibc-CVE-2016-3075.patch"
"glibc-CVE-2016-3706.patch"
"glibc-CVE-2016-4429.patch"
- "glibc-CVE-2017-15670-15671.patch"
"glibc-CVE-2017-1000366-pt1.patch"
"glibc-CVE-2017-1000366-pt2.patch"
"glibc-CVE-2017-1000366-pt3.patch"))))
diff --git a/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch b/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch
deleted file mode 100644
index 76d688c51..000000000
--- a/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Fix CVE-2017-15670:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670
-https://sourceware.org/bugzilla/show_bug.cgi?id=22320
-https://bugzilla.redhat.com/show_bug.cgi?id=1504804
-
-And CVE-2017-15671:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671
-https://sourceware.org/bugzilla/show_bug.cgi?id=22325
-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15671
-
-Copied from upstream:
-<https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=2d1bd71ec70a31b01d01b734faa66bb1ed28961f>
-
-diff --git a/posix/glob.c b/posix/glob.c
---- a/posix/glob.c
-+++ b/posix/glob.c
-@@ -843,7 +843,7 @@
- *p = '\0';
- }
- else
-- *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
-+ *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
- = '\0';
- user_name = newp;
- }
--
2.15.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#29490; Package
guix-patches.
(Tue, 05 Dec 2017 11:09:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 29490 <at> debbugs.gnu.org (full text, mbox):
Hello,
Marius Bakke <mbakke <at> fastmail.com> skribis:
> These issues has been classified as minor by Debian:
>
> https://security-tracker.debian.org/tracker/CVE-2017-15670
> https://security-tracker.debian.org/tracker/CVE-2017-15671
>
> ...and is not worth the cost of grafting and maintaining this patch.
I don’t see Debian’s classification as “minor”, but I see NVD severity
“high” and “medium” (I personally fail to imagine concrete remote
exploitation scenarios, but I largely lack the mental muscles for this.)
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#29490; Package
guix-patches.
(Tue, 05 Dec 2017 23:04:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 29490 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:
> Hello,
>
> Marius Bakke <mbakke <at> fastmail.com> skribis:
>
>> These issues has been classified as minor by Debian:
>>
>> https://security-tracker.debian.org/tracker/CVE-2017-15670
>> https://security-tracker.debian.org/tracker/CVE-2017-15671
>>
>> ...and is not worth the cost of grafting and maintaining this patch.
>
> I don’t see Debian’s classification as “minor”, but I see NVD severity
> “high” and “medium” (I personally fail to imagine concrete remote
> exploitation scenarios, but I largely lack the mental muscles for this.)
At the bottom of the page is the status for the stable releases, which
didn't get a DSA due to being a minor issue.
The recent update of glibc on core-updates included a fix for a similar
problem:
https://security-tracker.debian.org/tracker/CVE-2017-15671
I suppose we can graft that too, but would prefer to just drop them. We
get the fixes when we merge core-updates in a few weeks anyway.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Marius Bakke <mbakke <at> fastmail.com>:
You have taken responsibility.
(Tue, 02 Jan 2018 16:07:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Marius Bakke <mbakke <at> fastmail.com>:
bug acknowledged by developer.
(Tue, 02 Jan 2018 16:07:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 29490-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Marius Bakke <mbakke <at> fastmail.com> writes:
> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>> Hello,
>>
>> Marius Bakke <mbakke <at> fastmail.com> skribis:
>>
>>> These issues has been classified as minor by Debian:
>>>
>>> https://security-tracker.debian.org/tracker/CVE-2017-15670
>>> https://security-tracker.debian.org/tracker/CVE-2017-15671
>>>
>>> ...and is not worth the cost of grafting and maintaining this patch.
>>
>> I don’t see Debian’s classification as “minor”, but I see NVD severity
>> “high” and “medium” (I personally fail to imagine concrete remote
>> exploitation scenarios, but I largely lack the mental muscles for this.)
>
> At the bottom of the page is the status for the stable releases, which
> didn't get a DSA due to being a minor issue.
>
> The recent update of glibc on core-updates included a fix for a similar
> problem:
>
> https://security-tracker.debian.org/tracker/CVE-2017-15671
>
> I suppose we can graft that too, but would prefer to just drop them. We
> get the fixes when we merge core-updates in a few weeks anyway.
I pushed this to core-updates, since I'd rather not re-graft everything
on 'master'. The 2.26 package on core-updates have these fixes anyway.
This particular patch author will do a lot more research on future glibc
security issues...
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#29490; Package
guix-patches.
(Tue, 02 Jan 2018 22:28:01 GMT)
Full text and
rfc822 format available.
Message #19 received at 29490-done <at> debbugs.gnu.org (full text, mbox):
Heya,
Marius Bakke <mbakke <at> fastmail.com> skribis:
> Marius Bakke <mbakke <at> fastmail.com> writes:
>
>> Ludovic Courtès <ludo <at> gnu.org> writes:
>>
>>> Hello,
>>>
>>> Marius Bakke <mbakke <at> fastmail.com> skribis:
>>>
>>>> These issues has been classified as minor by Debian:
>>>>
>>>> https://security-tracker.debian.org/tracker/CVE-2017-15670
>>>> https://security-tracker.debian.org/tracker/CVE-2017-15671
>>>>
>>>> ...and is not worth the cost of grafting and maintaining this patch.
>>>
>>> I don’t see Debian’s classification as “minor”, but I see NVD severity
>>> “high” and “medium” (I personally fail to imagine concrete remote
>>> exploitation scenarios, but I largely lack the mental muscles for this.)
>>
>> At the bottom of the page is the status for the stable releases, which
>> didn't get a DSA due to being a minor issue.
>>
>> The recent update of glibc on core-updates included a fix for a similar
>> problem:
>>
>> https://security-tracker.debian.org/tracker/CVE-2017-15671
>>
>> I suppose we can graft that too, but would prefer to just drop them. We
>> get the fixes when we merge core-updates in a few weeks anyway.
>
> I pushed this to core-updates, since I'd rather not re-graft everything
> on 'master'. The 2.26 package on core-updates have these fixes anyway.
Great, thanks for keeping track of it.
> This particular patch author will do a lot more research on future glibc
> security issues...
Heheh. :-)
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 31 Jan 2018 12:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 79 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.