GNU bug report logs - #70581
PHP, glibc, and CVE-2024-2961

Previous Next

Package: guix;

Reported by: "McSinyx" <cnx <at> loang.net>

Date: Fri, 26 Apr 2024 06:46:07 UTC

Severity: normal

Tags: security

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 70581 in the body.
You can then email your comments to 70581 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#70581; Package guix. (Fri, 26 Apr 2024 06:46:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to "McSinyx" <cnx <at> loang.net>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Fri, 26 Apr 2024 06:46:09 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: "McSinyx" <cnx <at> loang.net>
To: <bug-guix <at> gnu.org>
Subject: PHP, glibc, and CVE-2024-2961
Date: Fri, 26 Apr 2024 15:44:50 +0900
Hello Guix,

Last week, an overflow bug in glibc's iconv(3) was discovered:
https://www.openwall.com/lists/oss-security/2024/04/17/9

It may enable remove code execution through PHP.  Due to
the immutable nature of Guix, is it possible to hotpatch
this using graft, or do we need to rebuild to world?
https://rockylinux.org/news/glibc-vulnerability-april-2024/

Kind regards,
McSinyx




Information forwarded to bug-guix <at> gnu.org:
bug#70581; Package guix. (Fri, 26 Apr 2024 07:22:11 GMT) Full text and rfc822 format available.

Message #8 received at 70581 <at> debbugs.gnu.org (full text, mbox):

From: Liliana Marie Prikler <liliana.prikler <at> ist.tugraz.at>
To: McSinyx <cnx <at> loang.net>, 70581 <at> debbugs.gnu.org
Cc: guix-security <at> gnu.org
Subject: Re: PHP, glibc, and CVE-2024-2961
Date: Fri, 26 Apr 2024 09:20:53 +0200
Hi McSinyx,

security-relevant bugs ought to go to <guix-security <at> gnu.org>, see [1].
Since a patch exists for glibc all the way back to 2.30, I suppose a
graft can be used and should be performed timely. 

Cheers

[1] https://guix.gnu.org/en/security/





Added tag(s) security. Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Sat, 25 May 2024 09:13:01 GMT) Full text and rfc822 format available.

Information forwarded to cnx <at> loang.net, liliana.prikler <at> ist.tugraz.at, ludo <at> gnu.org, andreas <at> enge.fr, janneke <at> gnu.org, bug-guix <at> gnu.org:
bug#70581; Package guix. (Sat, 14 Dec 2024 14:23:01 GMT) Full text and rfc822 format available.

Message #13 received at 70581 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: 70581 <at> debbugs.gnu.org
Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, guix-security <at> gnu.org
Subject: [PATCH] gnu: glibc: Graft with fix for CVE-2024-2961.
Date: Sat, 14 Dec 2024 23:20:53 +0900
* gnu/packages/base.scm (%glibc-patches): New variable.
(glibc) [source]: Use it.
[properties]: Mark CVE-2024-2961 as hidden (resolved).
[replacement]: Add field to graft with...
(glibc/fixed): ... this new package.

Fixes: <https://issues.guix.gnu.org/70581>
Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9
---
 gnu/packages/base.scm | 55 ++++++++++++++++++++++++++++++++-----------
 1 file changed, 41 insertions(+), 14 deletions(-)

diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index b3f54798c4..a060ed556d 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -878,6 +878,21 @@ (define* (make-ld-wrapper name #:key
     (home-page "https://www.gnu.org/software/guix//")
     (license gpl3+)))
 
+(define %glibc-patches
+  (list "glibc-2.39-git-updates.patch"
+        "glibc-ldd-powerpc.patch"
+        "glibc-2.38-ldd-x86_64.patch"
+        "glibc-dl-cache.patch"
+        "glibc-2.37-versioned-locpath.patch"
+        ;; "glibc-allow-kernel-2.6.32.patch"
+        "glibc-reinstate-prlimit64-fallback.patch"
+        "glibc-supported-locales.patch"
+        "glibc-2.37-hurd-clock_t_centiseconds.patch"
+        "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch"
+        "glibc-hurd-mach-print.patch"
+        "glibc-hurd-gettyent.patch"
+        "glibc-hurd-getauxval.patch"))
+
 (define-public glibc
   ;; This is the GNU C Library, used on GNU/Linux and GNU/Hurd.  Prior to
   ;; version 2.28, GNU/Hurd used a different glibc branch.
@@ -890,21 +905,11 @@ (define-public glibc
             (sha256
              (base32
               "09nrwb0ksbah9k35jchd28xxp2hidilqdgz7b8v5f30pz1yd8yzp"))
-            (patches (search-patches "glibc-2.39-git-updates.patch"
-                                     "glibc-ldd-powerpc.patch"
-                                     "glibc-2.38-ldd-x86_64.patch"
-                                     "glibc-dl-cache.patch"
-                                     "glibc-2.37-versioned-locpath.patch"
-                                     ;; "glibc-allow-kernel-2.6.32.patch"
-                                     "glibc-reinstate-prlimit64-fallback.patch"
-                                     "glibc-supported-locales.patch"
-                                     "glibc-2.37-hurd-clock_t_centiseconds.patch"
-                                     "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch"
-                                     "glibc-hurd-mach-print.patch"
-                                     "glibc-hurd-gettyent.patch"
-                                     "glibc-hurd-getauxval.patch"))))
-   (properties `((lint-hidden-cve . ("CVE-2024-33601" "CVE-2024-33602"
+            (patches (map search-patch %glibc-patches))))
+   (properties `((lint-hidden-cve . ("CVE-2024-2961"
+                                     "CVE-2024-33601" "CVE-2024-33602"
                                      "CVE-2024-33600" "CVE-2024-33599"))))
+   (replacement glibc/fixed)
    (build-system gnu-build-system)
 
    ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
@@ -1182,6 +1187,28 @@ (define-public glibc
    (license lgpl2.0+)
    (home-page "https://www.gnu.org/software/libc/")))
 
+(define glibc/fixed
+  (package
+    (inherit glibc)
+    (name "glibc")
+    (version (package-version glibc))
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "git://sourceware.org/git/glibc.git")
+                    ;; This is the latest commit from the
+                    ;; 'release/2.39/master' branch, where CVEs and other
+                    ;; important bug fixes are cherry picked.
+                    (commit "2c882bf9c15d206aaf04766d1b8e3ae5b1002cc2")))
+              (file-name (git-file-name name version))
+              (sha256
+               (base32
+                "111yf24g0qcfcxywfzrilmjxysahlbkzxfimcz9rq8p00qzvvf51"))
+              (patches (map search-patch
+                            (fold (cut delete <...>)
+                                  %glibc-patches
+                                  '("glibc-2.39-git-updates.patch"))))))))
+
 ;; Define a variation of glibc which uses the default /etc/ld.so.cache, useful
 ;; in FHS containers.
 (define-public glibc-for-fhs

base-commit: 93e1586116f39a30ba1fcb67bd839a43533dfaf4
-- 
2.46.0





Reply sent to Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility. (Wed, 18 Dec 2024 07:33:01 GMT) Full text and rfc822 format available.

Notification sent to "McSinyx" <cnx <at> loang.net>:
bug acknowledged by developer. (Wed, 18 Dec 2024 07:33:02 GMT) Full text and rfc822 format available.

Message #18 received at 70581-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: 70581-done <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>, guix-security <at> gnu.org,
 Liliana Marie Prikler <liliana.prikler <at> ist.tugraz.at>,
 Andreas Enge <andreas <at> enge.fr>, McSinyx <cnx <at> loang.net>,
 Janneke Nieuwenhuizen <janneke <at> gnu.org>
Subject: Re: bug#70581: PHP, glibc, and CVE-2024-2961
Date: Wed, 18 Dec 2024 16:31:37 +0900
Hi

Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:

> * gnu/packages/base.scm (%glibc-patches): New variable.
> (glibc) [source]: Use it.
> [properties]: Mark CVE-2024-2961 as hidden (resolved).
> [replacement]: Add field to graft with...
> (glibc/fixed): ... this new package.
>
> Fixes: <https://issues.guix.gnu.org/70581>
> Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9

Applied.

-- 
Thanks,
Maxim




Information forwarded to bug-guix <at> gnu.org:
bug#70581; Package guix. (Wed, 18 Dec 2024 10:09:02 GMT) Full text and rfc822 format available.

Message #21 received at 70581 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Cc: guix-security <at> gnu.org,
 Liliana Marie Prikler <liliana.prikler <at> ist.tugraz.at>,
 Andreas Enge <andreas <at> enge.fr>, 70581 <at> debbugs.gnu.org, McSinyx <cnx <at> loang.net>,
 Janneke Nieuwenhuizen <janneke <at> gnu.org>
Subject: Re: bug#70581: PHP, glibc, and CVE-2024-2961
Date: Wed, 18 Dec 2024 11:07:48 +0100
Hi,

Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:

> * gnu/packages/base.scm (%glibc-patches): New variable.
> (glibc) [source]: Use it.
> [properties]: Mark CVE-2024-2961 as hidden (resolved).
> [replacement]: Add field to graft with...
> (glibc/fixed): ... this new package.
>
> Fixes: <https://issues.guix.gnu.org/70581>
> Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9

I’m late to the party, apologies! (I was Cc’d, despite being on
‘core-packages’, weird.)

> +              (patches (map search-patch
> +                            (fold (cut delete <...>)
> +                                  %glibc-patches
> +                                  '("glibc-2.39-git-updates.patch"))))))))

Or: (delete "glibc-2.39-git-updates.patch" (search-patches %glibc-patches)).

Thank you!

Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#70581; Package guix. (Thu, 19 Dec 2024 02:28:01 GMT) Full text and rfc822 format available.

Message #24 received at 70581 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: guix-security <at> gnu.org,
 Liliana Marie Prikler <liliana.prikler <at> ist.tugraz.at>,
 Andreas Enge <andreas <at> enge.fr>, 70581 <at> debbugs.gnu.org, McSinyx <cnx <at> loang.net>,
 Janneke Nieuwenhuizen <janneke <at> gnu.org>
Subject: Re: bug#70581: PHP, glibc, and CVE-2024-2961
Date: Thu, 19 Dec 2024 11:25:53 +0900
Hi Ludovic,

Ludovic Courtès <ludo <at> gnu.org> writes:

[...]

>> +              (patches (map search-patch
>> +                            (fold (cut delete <...>)
>> +                                  %glibc-patches
>> +                                  '("glibc-2.39-git-updates.patch"))))))))
>
> Or: (delete "glibc-2.39-git-updates.patch" (search-patches %glibc-patches)).

It doesn't seem to work the way you'd intuitively expect, because
search-patches is syntax, and %glibc-patches is a list.  So you at least
need the map and search-patch procedure:

--8<---------------cut here---------------start------------->8---
(delete "glibc-2.39-git-updates.patch" (map search-patch %glibc-patches)).
--8<---------------cut here---------------end--------------->8---

And then the delete has no effect because 'search-path' returns absolute
paths, so the patch to delete is now something like
'/home/maxim/src/guix/gnu/packages/patches/glibc-2.39-git-updates.patch',
for example.

-- 
Thanks,
Maxim




Information forwarded to bug-guix <at> gnu.org:
bug#70581; Package guix. (Fri, 20 Dec 2024 07:56:01 GMT) Full text and rfc822 format available.

Message #27 received at 70581 <at> debbugs.gnu.org (full text, mbox):

From: Liliana Prikler <liliana.prikler <at> tugraz.at>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Ludovic
 Courtès <ludo <at> gnu.org>
Cc: Andreas Enge <andreas <at> enge.fr>, Janneke Nieuwenhuizen <janneke <at> gnu.org>,
 70581 <at> debbugs.gnu.org, McSinyx <cnx <at> loang.net>, guix-security <at> gnu.org
Subject: Re: bug#70581: PHP, glibc, and CVE-2024-2961
Date: Fri, 20 Dec 2024 08:00:13 +0100
Am Donnerstag, dem 19.12.2024 um 11:25 +0900 schrieb Maxim Cournoyer:
> Hi Ludovic,
> 
> Ludovic Courtès <ludo <at> gnu.org> writes:
> 
> [...]
> 
> > > +              (patches (map search-patch
> > > +                            (fold (cut delete <...>)
> > > +                                  %glibc-patches
> > > +                                  '("glibc-2.39-git-
> > > updates.patch"))))))))
> > 
> > Or: (delete "glibc-2.39-git-updates.patch" (search-patches %glibc-
> > patches)).
> 
> It doesn't seem to work the way you'd intuitively expect, because
> search-patches is syntax, and %glibc-patches is a list.  So you at
> least need the map and search-patch procedure:
> 
> --8<---------------cut here---------------start------------->8---
> (delete "glibc-2.39-git-updates.patch" (map search-patch %glibc-
> patches)).
> --8<---------------cut here---------------end--------------->8---
> 
> And then the delete has no effect because 'search-path' returns
> absolute paths, so the patch to delete is now something like
> '/home/maxim/src/guix/gnu/packages/patches/glibc-2.39-git-
> updates.patch', for example.
What about 
  (map search-patch 
    (delete "glibc-2.39-git-updates.patch" %glibc-patches)) 
?




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 17 Jan 2025 12:24:12 GMT) Full text and rfc822 format available.

This bug report was last modified 24 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.