#50698 [PATCH] WIP patches for recently-known hurd security vulnerabilities

Message #10 received at 50698@debbugs.gnu.org (full text, mbox, reply):

Received: (at 50698) by debbugs.gnu.org; 4 Oct 2021 13:52:39 +0000
From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 04 09:52:39 2021
Received: from localhost ([127.0.0.1]:35981 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1mXOOU-0003xH-Na
	for submit@debbugs.gnu.org; Mon, 04 Oct 2021 09:52:39 -0400
Received: from eggs.gnu.org ([209.51.188.92]:35164)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1mXOOS-0003x0-Re
 for 50698@debbugs.gnu.org; Mon, 04 Oct 2021 09:52:37 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:54592)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1mXOOM-0005Bt-M5; Mon, 04 Oct 2021 09:52:30 -0400
Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=60548 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1mXOOL-0004lR-Kk; Mon, 04 Oct 2021 09:52:30 -0400
From: Ludovic Courtès <ludo@gnu.org>
To: Maxime Devos <maximedevos@telenet.be>
Subject: Re: bug#50698: [PATCH] WIP patches for recently-known hurd security
 vulnerabilities
References: <727b3d7ec511589ab714874d6648ee4afa458e3c.camel@telenet.be>
Date: Mon, 04 Oct 2021 15:52:27 +0200
In-Reply-To: <727b3d7ec511589ab714874d6648ee4afa458e3c.camel@telenet.be>
 (Maxime Devos's message of "Mon, 20 Sep 2021 12:40:48 +0200")
Message-ID: <87pmskq4mc.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 50698
Cc: 50698@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi Maxime,

Maxime Devos <maximedevos@telenet.be> skribis:

> I've tried to patch the glibc package for the problems noted at
> <https://lists.gnu.org/archive/html/bug-hurd/2021-08/msg00007.html>;.
>
> I've found two recent patches (glibc-hurd-proc-reauth.patch and
> glibc-hurd-sendmsg-SCM_CREDS.patch) that appeared relevant.  I tried
> to patch our glibc package with those patches.
>
> The modified tarball builds fine for --system=x86_64-linux, but not
> for --system=i586-gnu (tested with ./pre-inst-env guix build hello
> --system=i586-gnu).  Any idea what's happening here?

Thanks for looking into it!

> From cdf38fbfcba4c87777d7ba2175f08e877dafe86a Mon Sep 17 00:00:00 2001
> From: Maxime Devos <maximedevos@telenet.be>
> Date: Mon, 13 Sep 2021 11:23:21 +0200
> Subject: [PATCH] WIP gnu: glibc: New security patches.
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
>
> The existence of the vulnerabilities was noted at
> <https://lists.gnu.org/archive/html/bug-hurd/2021-08/msg00007.html>.
>
> TODO: check if these are all necessary packages for glibc.
> TODO: why does the glibc tarball build for --system=x86_64-linux but not
> for --system=i586-gnu?
>
> Build error:
> ‘patching file hurd/hurdinit.c
> Hunk #1 FAILED at 177.
> 1 out of 1 hunk FAILED -- saving rejects to file hurd/hurdinit.c.rej’
>
> but this file isn't modified by the new patches!
>
> * gnu/local.mk (dist_patch_DATA): Register new patches.
> * gnu/packages/base.scm (glibc)[replacement]: Register replacement.
>   (glibc/fixed): New variable.
> * gnu/packages/patches/glibc-hurd-proc-reauth.patch: New file.
> * gnu/packages/patches/glibc-hurd-sendmsg-SCM_CREDS.patch.

[...]

> --- a/gnu/packages/base.scm
> +++ b/gnu/packages/base.scm
> @@ -706,6 +706,7 @@ the store.")
>    (package
>     (name "glibc")
>     (version "2.31")
> +   (replacement glibc/fixed)
>     (source (origin
>              (method url-fetch)
>              (uri (string-append "mirror://gnu/glibc/glibc-" version ".tar.xz"))
> @@ -966,6 +967,12 @@ with the Linux kernel.")
>     (license lgpl2.0+)
>     (home-page "https://www.gnu.org/software/libc/")))
>  
> +(define glibc/fixed
> +  (package-with-extra-patches
> +   glibc
> +   (search-patches "glibc-hurd-sendmsg-SCM_CREDS.patch"
> +                   "glibc-hurd-proc-reauth.patch")))

Instead of a replacement, which makes no sense on GNU/Linux, could you
add a conditional phase for (hurd-target?) that applies the patches?

(On ‘core-updates’ (or ‘-frozen’?) we will apply patches
unconditionally.)

Not answering your initial question, but maybe the problem will vanish
if you do things this way, who knows.  :-)

> +++ b/gnu/packages/patches/glibc-hurd-proc-reauth.patch
> @@ -0,0 +1,114 @@
> +Index: glibc-2.31/hurd/hurdsig.c

Please add a comment explaining what this patch does, what its status
is, with a link to upstream discussions.

Thank you!

Ludo’.

Send a report that this bug log contains spam.