GNU bug report logs - #70581
PHP, glibc, and CVE-2024-2961

Previous Next

To reply to this bug, email your comments to 70581 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: "McSinyx" <cnx <at> loang.net>
To: <bug-guix <at> gnu.org>
Subject: PHP, glibc, and CVE-2024-2961
Date: Fri, 26 Apr 2024 15:44:50 +0900

Hello Guix,

Last week, an overflow bug in glibc's iconv(3) was discovered:
https://www.openwall.com/lists/oss-security/2024/04/17/9

It may enable remove code execution through PHP.  Due to
the immutable nature of Guix, is it possible to hotpatch
this using graft, or do we need to rebuild to world?
https://rockylinux.org/news/glibc-vulnerability-april-2024/

Kind regards,
McSinyx

Message #8 received at 70581 <at> debbugs.gnu.org (full text, mbox):

From: Liliana Marie Prikler <liliana.prikler <at> ist.tugraz.at>
To: McSinyx <cnx <at> loang.net>, 70581 <at> debbugs.gnu.org
Cc: guix-security <at> gnu.org
Subject: Re: PHP, glibc, and CVE-2024-2961
Date: Fri, 26 Apr 2024 09:20:53 +0200

Hi McSinyx,

security-relevant bugs ought to go to <guix-security <at> gnu.org>, see [1].
Since a patch exists for glibc all the way back to 2.30, I suppose a
graft can be used and should be performed timely. 

Cheers

[1] https://guix.gnu.org/en/security/

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.