diff options
| -rw-r--r-- | gnu/local.mk | 1 | ||||
| -rw-r--r-- | gnu/packages/base.scm | 28 | ||||
| -rw-r--r-- | gnu/packages/patches/glibc-CVE-2019-19126.patch | 22 |
3 files changed, 46 insertions, 5 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index fef7fd1e28..25dfef3849 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -906,6 +906,7 @@ dist_patch_DATA = \ %D%/packages/patches/glibc-CVE-2018-11237.patch \ %D%/packages/patches/glibc-CVE-2019-7309.patch \ %D%/packages/patches/glibc-CVE-2019-9169.patch \ + %D%/packages/patches/glibc-CVE-2019-19126.patch \ %D%/packages/patches/glibc-allow-kernel-2.6.32.patch \ %D%/packages/patches/glibc-boot-2.16.0.patch \ %D%/packages/patches/glibc-boot-2.2.5.patch \ diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index a444213a84..caaa04258c 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -567,13 +567,13 @@ the store.") ;; version 2.28, GNU/Hurd used a different glibc branch. (package (name "glibc") - (version "2.29") + (version "2.30") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/glibc/glibc-" version ".tar.xz")) (sha256 (base32 - "0jzh58728flfh939a8k9pi1zdyalfzlxmwra7k0rzji5gvavivpk")) + "1bxqpg91d02qnaz837a5kamm0f43pr1il4r9pknygywsar713i72")) (snippet ;; Disable 'ldconfig' and /etc/ld.so.cache. The latter is ;; required on LFS distros to avoid loading the distro's libc.so @@ -585,9 +585,7 @@ the store.") #t)) (modules '((guix build utils))) (patches (search-patches "glibc-ldd-x86_64.patch" - "glibc-CVE-2019-7309.patch" - "glibc-CVE-2019-9169.patch" - "glibc-2.29-git-updates.patch" + "glibc-CVE-2019-19126.patch" "glibc-hidden-visibility-ldconfig.patch" "glibc-versioned-locpath.patch" "glibc-allow-kernel-2.6.32.patch" @@ -819,6 +817,26 @@ with the Linux kernel.") ;; Below are old libc versions, which we use mostly to build locale data in ;; the old format (which the new libc cannot cope with.) +(define-public glibc-2.29 + (package + (inherit glibc) + (version "2.29") + (source (origin + (inherit (package-source glibc)) + (uri (string-append "mirror://gnu/glibc/glibc-" version ".tar.xz")) + (sha256 + (base32 + "0jzh58728flfh939a8k9pi1zdyalfzlxmwra7k0rzji5gvavivpk")) + (patches (search-patches "glibc-ldd-x86_64.patch" + "glibc-CVE-2019-7309.patch" + "glibc-CVE-2019-9169.patch" + "glibc-2.29-git-updates.patch" + "glibc-hidden-visibility-ldconfig.patch" + "glibc-versioned-locpath.patch" + "glibc-allow-kernel-2.6.32.patch" + "glibc-reinstate-prlimit64-fallback.patch" + "glibc-supported-locales.patch")))))) + (define-public glibc-2.28 (package (inherit glibc) diff --git a/gnu/packages/patches/glibc-CVE-2019-19126.patch b/gnu/packages/patches/glibc-CVE-2019-19126.patch new file mode 100644 index 0000000000..5b9ac58ab7 --- /dev/null +++ b/gnu/packages/patches/glibc-CVE-2019-19126.patch @@ -0,0 +1,22 @@ +Fix CVE-2019-19126: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19126 +https://sourceware.org/bugzilla/show_bug.cgi?id=25204 + +Taken from upstream: +https://sourceware.org/git/?p=glibc.git;a=commit;h=37c90e117310728a4ad1eb998c0bbe7d79c4a398 + +diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +index 975cbe2..df2cdfd 100644 +--- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h ++++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +@@ -31,7 +31,8 @@ + environment variable, LD_PREFER_MAP_32BIT_EXEC. */ + #define EXTRA_LD_ENVVARS \ + case 21: \ +- if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ ++ if (!__libc_enable_secure \ ++ && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ + GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \ + |= bit_arch_Prefer_MAP_32BIT_EXEC; \ + break; |