diff options
| author | Maxim Cournoyer <maxim.cournoyer@gmail.com> | 2024-12-14 22:52:22 +0900 |
|---|---|---|
| committer | Maxim Cournoyer <maxim.cournoyer@gmail.com> | 2024-12-18 16:27:09 +0900 |
| commit | 78c4d00ab02ab41a22058cdbec0329752e47580f (patch) | |
| tree | cd262b3ac3dbb4f32690f36722cf86ba9592ad00 /gnu | |
| parent | 08e0144d2338c8fb51e52e74274554583d0faa69 (diff) | |
| download | guix-78c4d00ab02ab41a22058cdbec0329752e47580f.tar.gz guix-78c4d00ab02ab41a22058cdbec0329752e47580f.zip | |
gnu: glibc: Graft with fix for CVE-2024-2961.
* gnu/packages/base.scm (%glibc-patches): New variable.
(glibc) [source]: Use it.
[properties]: Mark CVE-2024-2961 as hidden (resolved).
[replacement]: Add field to graft with...
(glibc/fixed): ... this new package.
Fixes: <https://issues.guix.gnu.org/70581>
Change-Id: I6dd70b0e157283925824348f180c466c2f6387c9
Diffstat (limited to 'gnu')
| -rw-r--r-- | gnu/packages/base.scm | 55 |
1 files changed, 41 insertions, 14 deletions
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 87c7568ef2..4639050623 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -878,6 +878,21 @@ the store.") (home-page "https://www.gnu.org/software/guix//") (license gpl3+))) +(define %glibc-patches + (list "glibc-2.39-git-updates.patch" + "glibc-ldd-powerpc.patch" + "glibc-2.38-ldd-x86_64.patch" + "glibc-dl-cache.patch" + "glibc-2.37-versioned-locpath.patch" + ;; "glibc-allow-kernel-2.6.32.patch" + "glibc-reinstate-prlimit64-fallback.patch" + "glibc-supported-locales.patch" + "glibc-2.37-hurd-clock_t_centiseconds.patch" + "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch" + "glibc-hurd-mach-print.patch" + "glibc-hurd-gettyent.patch" + "glibc-hurd-getauxval.patch")) + (define-public glibc ;; This is the GNU C Library, used on GNU/Linux and GNU/Hurd. Prior to ;; version 2.28, GNU/Hurd used a different glibc branch. @@ -890,21 +905,11 @@ the store.") (sha256 (base32 "09nrwb0ksbah9k35jchd28xxp2hidilqdgz7b8v5f30pz1yd8yzp")) - (patches (search-patches "glibc-2.39-git-updates.patch" - "glibc-ldd-powerpc.patch" - "glibc-2.38-ldd-x86_64.patch" - "glibc-dl-cache.patch" - "glibc-2.37-versioned-locpath.patch" - ;; "glibc-allow-kernel-2.6.32.patch" - "glibc-reinstate-prlimit64-fallback.patch" - "glibc-supported-locales.patch" - "glibc-2.37-hurd-clock_t_centiseconds.patch" - "glibc-2.37-hurd-local-clock_gettime_MONOTONIC.patch" - "glibc-hurd-mach-print.patch" - "glibc-hurd-gettyent.patch" - "glibc-hurd-getauxval.patch")))) - (properties `((lint-hidden-cve . ("CVE-2024-33601" "CVE-2024-33602" + (patches (map search-patch %glibc-patches)))) + (properties `((lint-hidden-cve . ("CVE-2024-2961" + "CVE-2024-33601" "CVE-2024-33602" "CVE-2024-33600" "CVE-2024-33599")))) + (replacement glibc/fixed) (build-system gnu-build-system) ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc @@ -1182,6 +1187,28 @@ with the Linux kernel.") (license lgpl2.0+) (home-page "https://www.gnu.org/software/libc/"))) +(define glibc/fixed + (package + (inherit glibc) + (name "glibc") + (version (package-version glibc)) + (source (origin + (method git-fetch) + (uri (git-reference + (url "git://sourceware.org/git/glibc.git") + ;; This is the latest commit from the + ;; 'release/2.39/master' branch, where CVEs and other + ;; important bug fixes are cherry picked. + (commit "2c882bf9c15d206aaf04766d1b8e3ae5b1002cc2"))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "111yf24g0qcfcxywfzrilmjxysahlbkzxfimcz9rq8p00qzvvf51")) + (patches (map search-patch + (fold (cut delete <...>) + %glibc-patches + '("glibc-2.39-git-updates.patch")))))))) + ;; Define a variation of glibc which uses the default /etc/ld.so.cache, useful ;; in FHS containers. (define-public glibc-for-fhs |