GNU bug report logs

#46959 [PATCH 0/1] WIP: gnu: newlib: Fix CVE-2021-3420.

PackageSource(s)Maintainer(s)
guix-patches PTS Buildd Popcon
Full log

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 6 Mar 2021 05:04:26 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 06 00:04:26 2021
Received: from localhost ([127.0.0.1]:35866 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lIP74-00013c-5Z
	for submit@debbugs.gnu.org; Sat, 06 Mar 2021 00:04:26 -0500
Received: from lists.gnu.org ([209.51.188.17]:60948)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lIP70-00013T-OS
 for submit@debbugs.gnu.org; Sat, 06 Mar 2021 00:04:25 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:58076)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lIP70-0003d3-HP
 for guix-patches@gnu.org; Sat, 06 Mar 2021 00:04:22 -0500
Received: from mail.zaclys.net ([178.33.93.72]:42793)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lIP6y-0002sK-AL
 for guix-patches@gnu.org; Sat, 06 Mar 2021 00:04:21 -0500
Received: from localhost.localdomain (82-64-145-38.subs.proxad.net
 [82.64.145.38]) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12654HlK006703
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
 Sat, 6 Mar 2021 06:04:17 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12654HlK006703
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1615007058;
 bh=j+C/3iLSVI9lvRSE1dLQs/nQIaGQZ28cKt5FgKUl/iU=;
 h=From:To:Cc:Subject:Date:From;
 b=cQ4GNMfWINw7N+B8+Mt0J1BT50h+g8XH8CuASHPdP1ZcXtl4BHnkSENP+WVoIGJ5v
 8tZz7IQ7aV2WerKf6+vo5+YBREFPIcU5fATZ9QeSNGIACR75moIkiipUJn8w2eViGo
 STB2pYh/qPBKvahNlvmwiklVcRYjoHddqJHjBXPM=
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-patches@gnu.org
Subject: [PATCH 0/1] WIP: gnu: newlib: Fix CVE-2021-3420.
Date: Sat,  6 Mar 2021 06:04:09 +0100
Message-Id: <20210306050410.11022-1-lle-bout@zaclys.net>
X-Mailer: git-send-email 2.30.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: Léo Le Bouter <lle-bout@zaclys.net>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

newlib-CVE-2021-3420.patch needs backporting to the versions of newlib it is
being applied to, so if you are interested or a user of those packages please
finish the work, otherwise well CVE-2021-3420 will probably remain unfixed.

The versions of newlib are too old and too specific for it to be
maintainable security-wise, especially considering upstream does not seem to
maintain older versions at all. I don't think GNU Guix should take that role,
but of course the people who depend on these packages can ensure they are good
enough for themselves, otherwise contribute changes.

Léo Le Bouter (1):
  gnu: newlib: Fix CVE-2021-3420.

 gnu/local.mk                                  |   1 +
 gnu/packages/embedded.scm                     |   6 +-
 .../patches/newlib-CVE-2021-3420.patch        | 105 ++++++++++++++++++
 3 files changed, 110 insertions(+), 2 deletions(-)
 create mode 100644 gnu/packages/patches/newlib-CVE-2021-3420.patch

-- 
2.30.1

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Fri Jan 3 03:49:51 2025; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.