PHP, glibc, and CVE-2024-2961

  • Done
  • quality assurance status badge
Details
5 participants
  • McSinyx
  • Liliana Marie Prikler
  • Liliana Prikler
  • Ludovic Courtès
  • Maxim Cournoyer
Owner
unassigned
Submitted by
McSinyx
Severity
normal

Debbugs page

M
L
L
Liliana Marie Prikler wrote on 26 Apr 00:20 -0700
(address . guix-security@gnu.org)
d3ec3ac455aa73747b9451100ed10f31ca65f64d.camel@ist.tugraz.at
Hi McSinyx,

security-relevant bugs ought to go to <guix-security@gnu.org>, see [1].
Since a patch exists for glibc all the way back to 2.30, I suppose a
graft can be used and should be performed timely.

Cheers

L
L
Ludovic Courtès wrote on 25 May 02:12 -0700
control message for bug #70581
(address . control@debbugs.gnu.org)
877cfi45nf.fsf@gnu.org
tags 70581 + security
quit
M
M
Maxim Cournoyer wrote 7 days ago
[PATCH] gnu: glibc: Graft with fix for CVE-2024-2961.
(address . 70581@debbugs.gnu.org)
f7aeb1c1fcdf123782ddf51257a573d614d1c02d.1734186002.git.maxim.cournoyer@gmail.com
* gnu/packages/base.scm (%glibc-patches): New variable.
(glibc) [source]: Use it.
[properties]: Mark CVE-2024-2961 as hidden (resolved).
[replacement]: Add field to graft with...
(glibc/fixed): ... this new package.

Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9
---
gnu/packages/base.scm | 55 ++++++++++++++++++++++++++++++++-----------
1 file changed, 41 insertions(+), 14 deletions(-)

Toggle diff (85 lines)
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index b3f54798c4..a060ed556d 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -878,6 +878,21 @@ (define* (make-ld-wrapper name #:key
(home-page "https://www.gnu.org/software/guix//")
(license gpl3+)))
+(define %glibc-patches
+ (list "glibc-2.39-git-updates.patch"
+ "glibc-ldd-powerpc.patch"
+ "glibc-2.38-ldd-x86_64.patch"
+ "glibc-dl-cache.patch"
+ "glibc-2.37-versioned-locpath.patch"
+ ;; "glibc-allow-kernel-2.6.32.patch"
+ "glibc-reinstate-prlimit64-fallback.patch"
+ "glibc-supported-locales.patch"
+ "glibc-2.37-hurd-clock_t_centiseconds.patch"
+ "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch"
+ "glibc-hurd-mach-print.patch"
+ "glibc-hurd-gettyent.patch"
+ "glibc-hurd-getauxval.patch"))
+
(define-public glibc
;; This is the GNU C Library, used on GNU/Linux and GNU/Hurd. Prior to
;; version 2.28, GNU/Hurd used a different glibc branch.
@@ -890,21 +905,11 @@ (define-public glibc
(sha256
(base32
"09nrwb0ksbah9k35jchd28xxp2hidilqdgz7b8v5f30pz1yd8yzp"))
- (patches (search-patches "glibc-2.39-git-updates.patch"
- "glibc-ldd-powerpc.patch"
- "glibc-2.38-ldd-x86_64.patch"
- "glibc-dl-cache.patch"
- "glibc-2.37-versioned-locpath.patch"
- ;; "glibc-allow-kernel-2.6.32.patch"
- "glibc-reinstate-prlimit64-fallback.patch"
- "glibc-supported-locales.patch"
- "glibc-2.37-hurd-clock_t_centiseconds.patch"
- "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch"
- "glibc-hurd-mach-print.patch"
- "glibc-hurd-gettyent.patch"
- "glibc-hurd-getauxval.patch"))))
- (properties `((lint-hidden-cve . ("CVE-2024-33601" "CVE-2024-33602"
+ (patches (map search-patch %glibc-patches))))
+ (properties `((lint-hidden-cve . ("CVE-2024-2961"
+ "CVE-2024-33601" "CVE-2024-33602"
"CVE-2024-33600" "CVE-2024-33599"))))
+ (replacement glibc/fixed)
(build-system gnu-build-system)
;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
@@ -1182,6 +1187,28 @@ (define-public glibc
(license lgpl2.0+)
(home-page "https://www.gnu.org/software/libc/")))
+(define glibc/fixed
+ (package
+ (inherit glibc)
+ (name "glibc")
+ (version (package-version glibc))
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "git://sourceware.org/git/glibc.git")
+ ;; This is the latest commit from the
+ ;; 'release/2.39/master' branch, where CVEs and other
+ ;; important bug fixes are cherry picked.
+ (commit "2c882bf9c15d206aaf04766d1b8e3ae5b1002cc2")))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "111yf24g0qcfcxywfzrilmjxysahlbkzxfimcz9rq8p00qzvvf51"))
+ (patches (map search-patch
+ (fold (cut delete <...>)
+ %glibc-patches
+ '("glibc-2.39-git-updates.patch"))))))))
+
;; Define a variation of glibc which uses the default /etc/ld.so.cache, useful
;; in FHS containers.
(define-public glibc-for-fhs

base-commit: 93e1586116f39a30ba1fcb67bd839a43533dfaf4
--
2.46.0
M
M
Maxim Cournoyer wrote 3 days ago
Re: bug#70581: PHP, glibc, and CVE-2024-2961
(address . 70581-done@debbugs.gnu.org)
87a5ctphuu.fsf_-_@gmail.com
Hi

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

Toggle quote (9 lines)
> * gnu/packages/base.scm (%glibc-patches): New variable.
> (glibc) [source]: Use it.
> [properties]: Mark CVE-2024-2961 as hidden (resolved).
> [replacement]: Add field to graft with...
> (glibc/fixed): ... this new package.
>
> Fixes: <https://issues.guix.gnu.org/70581>
> Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9

Applied.

--
Thanks,
Maxim
Closed
L
L
Ludovic Courtès wrote 3 days ago
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
87bjx9nw23.fsf_-_@gnu.org
Hi,

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

Toggle quote (9 lines)
> * gnu/packages/base.scm (%glibc-patches): New variable.
> (glibc) [source]: Use it.
> [properties]: Mark CVE-2024-2961 as hidden (resolved).
> [replacement]: Add field to graft with...
> (glibc/fixed): ... this new package.
>
> Fixes: <https://issues.guix.gnu.org/70581>
> Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9

I’m late to the party, apologies! (I was Cc’d, despite being on
‘core-packages’, weird.)

Toggle quote (5 lines)
> + (patches (map search-patch
> + (fold (cut delete <...>)
> + %glibc-patches
> + '("glibc-2.39-git-updates.patch"))))))))

Or: (delete "glibc-2.39-git-updates.patch" (search-patches %glibc-patches)).

Thank you!

Ludo’.
M
M
Maxim Cournoyer wrote 2 days ago
(name . Ludovic Courtès)(address . ludo@gnu.org)
87r064mmry.fsf@gmail.com
Hi Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

[...]

Toggle quote (7 lines)
>> + (patches (map search-patch
>> + (fold (cut delete <...>)
>> + %glibc-patches
>> + '("glibc-2.39-git-updates.patch"))))))))
>
> Or: (delete "glibc-2.39-git-updates.patch" (search-patches %glibc-patches)).

It doesn't seem to work the way you'd intuitively expect, because
search-patches is syntax, and %glibc-patches is a list. So you at least
need the map and search-patch procedure:

Toggle snippet (3 lines)
(delete "glibc-2.39-git-updates.patch" (map search-patch %glibc-patches)).

And then the delete has no effect because 'search-path' returns absolute
paths, so the patch to delete is now something like
'/home/maxim/src/guix/gnu/packages/patches/glibc-2.39-git-updates.patch',
for example.

--
Thanks,
Maxim
L
L
Liliana Prikler wrote 30 hours ago
41e8919d208dfdfc0a50b456286c0de2d0b1ad20.camel@tugraz.at
Am Donnerstag, dem 19.12.2024 um 11:25 +0900 schrieb Maxim Cournoyer:
Toggle quote (28 lines)
> Hi Ludovic,
>
> Ludovic Courtès <ludo@gnu.org> writes:
>
> [...]
>
> > > +              (patches (map search-patch
> > > +                            (fold (cut delete <...>)
> > > +                                  %glibc-patches
> > > +                                  '("glibc-2.39-git-
> > > updates.patch"))))))))
> >
> > Or: (delete "glibc-2.39-git-updates.patch" (search-patches %glibc-
> > patches)).
>
> It doesn't seem to work the way you'd intuitively expect, because
> search-patches is syntax, and %glibc-patches is a list.  So you at
> least need the map and search-patch procedure:
>
> --8<---------------cut here---------------start------------->8---
> (delete "glibc-2.39-git-updates.patch" (map search-patch %glibc-
> patches)).
> --8<---------------cut here---------------end--------------->8---
>
> And then the delete has no effect because 'search-path' returns
> absolute paths, so the patch to delete is now something like
> '/home/maxim/src/guix/gnu/packages/patches/glibc-2.39-git-
> updates.patch', for example.
What about 
(map search-patch 
(delete "glibc-2.39-git-updates.patch" %glibc-patches)) 
?
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 70581@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 70581
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch