bug#27429: Stack clash (CVE-2017-1000366 etc)

On Thu, Jul 20, 2017 at 05:54:06PM +0200, Ludovic Courtès wrote: > Leo Famulari skribis: > > > This is a place to discuss the "stack crash" bugs as they apply to our > > packages. > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366 > >

bug#27429: Stack clash (CVE-2017-1000366 etc)

Leo Famulari skribis: > This is a place to discuss the "stack crash" bugs as they apply to our > packages. > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366 > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt I think we can close this bug now,

bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)]

Leo Famulari skribis: > On Fri, Jun 30, 2017 at 12:27:57AM +0200, Ludovic Courtès wrote: >> > -(native-inputs `(("pkg-config" ,pkg-config))) >> > +(arguments >> > + `(#:phases >> > + (modify-phases %standard-phases >> > + (add-before 'configure

bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)]

On Fri, Jun 30, 2017 at 12:27:57AM +0200, Ludovic Courtès wrote: > > -(native-inputs `(("pkg-config" ,pkg-config))) > > +(arguments > > + `(#:phases > > + (modify-phases %standard-phases > > + (add-before 'configure 'bootstrap > > + (lambda _ (zero? (system*

bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)]

Leo Famulari skribis: > On Thu, Jun 29, 2017 at 10:06:08PM +0200, Ludovic Courtès wrote: >> Leo, let me know when you feel that we should start a new evaluation. > > First I want to ungraft today's libgcrypt and poppler replacements. > > I also want to apply the attached

bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)]

On Thu, Jun 29, 2017 at 10:06:08PM +0200, Ludovic Courtès wrote: > Leo, let me know when you feel that we should start a new evaluation. First I want to ungraft today's libgcrypt and poppler replacements. I also want to apply the attached patch so we can stop using libgcrypt-1.5 with Shishi, and

bug#27429: Stack clash (CVE-2017-1000366 etc)

Mark H Weaver skribis: > l...@gnu.org (Ludovic Courtès) writes: > >> As discussed yesterday on IRC, here’s a patch that applies the glibc >> patches for CVE-2017-1000366 in ‘core-updates’. >> >> That’s a rebuild-the-world change but we still have work to do in >> ‘core-updates’

bug#27429: Stack clash (CVE-2017-1000366 etc)

On Fri, Jun 23, 2017 at 01:20:38PM -0400, Leo Famulari wrote: > By the way, Qualys will probably begin publishing their exploits on > Tuesday [0]: Here they are: http://seclists.org/oss-sec/2017/q2/635 It would be good if we tested the relevant exploits against GuixSD. signature.asc

bug#27429: Stack clash (CVE-2017-1000366 etc)

Mark H Weaver skribis: > Yes, I ran "guix pull" for user mhw on Hydra, and then asked it to build > a grafted 'hello' for all three hydra-supported platforms. This > entailed building a grafted 'glibc-final' as well as 'perl' and 'expat'. > I then ran: > > guix challenge

bug#27429: Stack clash (CVE-2017-1000366 etc)

Hi Mark, Mark H Weaver skribis: > I tried to copy the .drv files for the grafted 'glibc-final' and > 'glibc-final-with-bootstrap-bash' from my machine to Hydra, in order to > ask Hydra to build it, but both "guix copy" and "guix archive --export" > failed: > > mhw@jojen ~$ guix

bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check

I agree, let's wait for guidance from the upstream GCC and GLIBC developers. Original Message From: Marius Bakke <mba...@fastmail.com> Sent: June 25, 2017 6:41:06 AM EDT To: Danny Milosavljevic <dan...@scratchpost.org>, 27...@debbugs.gnu.org Subject: bug#27429: Stac

bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check

Danny Milosavljevic writes: > Hi, > > what do you all think of rebuilding the world with "-fstack-check" (either > now or later on) ? > > That would make gcc emit code to always grow the stack in a way that it > certainly touches each 4 KiB (parametrizable by >

bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check

Hi, what do you all think of rebuilding the world with "-fstack-check" (either now or later on) ? That would make gcc emit code to always grow the stack in a way that it certainly touches each 4 KiB (parametrizable by STACK_CHECK_PROBE_INTERVAL_EXP) page on the way. I think that would be the

bug#27429: Stack clash (CVE-2017-1000366 etc)

Mark H Weaver writes: > Leo Famulari writes: > >> On Fri, Jun 23, 2017 at 02:36:41PM -0400, Mark H Weaver wrote: >>> Most packages are linked with 'glibc-final' in (gnu packages >>> commencement), and we should expect them to now be linked with *its* >>>

bug#27429: Stack clash (CVE-2017-1000366 etc)

Leo Famulari writes: > On Fri, Jun 23, 2017 at 02:36:41PM -0400, Mark H Weaver wrote: >> Most packages are linked with 'glibc-final' in (gnu packages >> commencement), and we should expect them to now be linked with *its* >> replacement. Try this to find the expected

bug#27429: Stack clash (CVE-2017-1000366 etc)

On Fri, Jun 23, 2017 at 02:36:41PM -0400, Mark H Weaver wrote: > Most packages are linked with 'glibc-final' in (gnu packages > commencement), and we should expect them to now be linked with *its* > replacement. Try this to find the expected glibc-final replacement: > > ./pre-inst-env guix

bug#27429: Stack clash (CVE-2017-1000366 etc)

Leo Famulari writes: > On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote: >> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366. >> >> * gnu/packages/base.scm (glibc/linux)[replacement]: New field. >> (glibc-2.25-fixed): New variable. >> (glibc@2.24,

bug#27429: Stack clash (CVE-2017-1000366 etc)

On Thu, Jun 22, 2017 at 12:17:37PM -0400, Leo Famulari wrote: > On Thu, Jun 22, 2017 at 02:44:11AM -0400, Mark H Weaver wrote: > > Leo Famulari writes: > > > Hm, I noticed the bootstrap binaries being downloaded, so I don't think > > > this patch applies the graft without

bug#27429: Stack clash (CVE-2017-1000366 etc)

On Thu, Jun 22, 2017 at 02:44:11AM -0400, Mark H Weaver wrote: > Leo Famulari writes: > > Hm, I noticed the bootstrap binaries being downloaded, so I don't think > > this patch applies the graft without causing a full rebuild. > > It's likely that this is because of the new

bug#27429: Stack clash (CVE-2017-1000366 etc)

Leo Famulari writes: > On Wed, Jun 21, 2017 at 07:52:27PM -0400, Leo Famulari wrote: >> On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote: >> > Had to make a small change to the patch, it turns out it couldn't build >> > the source for glibc@2.21, so I changed

bug#27429: Stack clash (CVE-2017-1000366 etc)

On Wed, Jun 21, 2017 at 07:52:27PM -0400, Leo Famulari wrote: > On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote: > > Had to make a small change to the patch, it turns out it couldn't build > > the source for glibc@2.21, so I changed the source to inherit from > > glibc@2.22 and not

bug#27429: Stack clash (CVE-2017-1000366 etc)

On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote: > Had to make a small change to the patch, it turns out it couldn't build > the source for glibc@2.21, so I changed the source to inherit from > glibc@2.22 and not just from glibc. It doesn't change anything for the > actual

bug#27429: Stack clash (CVE-2017-1000366 etc)

Had to make a small change to the patch, it turns out it couldn't build the source for glibc@2.21, so I changed the source to inherit from glibc@2.22 and not just from glibc. It doesn't change anything for the actual glibc@2.25. -- Efraim Flashner אפרים פלשנר GPG key

bug#27429: Stack clash (CVE-2017-1000366 etc)

On Tue, Jun 20, 2017 at 05:44:42PM -0400, Mark H Weaver wrote: > Hi Efraim, > > Thanks so much for working on this! > > Grafting glibc is something we haven't done before to my knowledge, and > it is a bit tricky because of all of the inherited versions of glibc. > At present, those inherited

bug#27429: Stack clash (CVE-2017-1000366 etc)

Hi Efraim, Thanks so much for working on this! Grafting glibc is something we haven't done before to my knowledge, and it is a bit tricky because of all of the inherited versions of glibc. At present, those inherited versions are not expressed in such a way to make grafting work. One important

bug#27429: Stack clash (CVE-2017-1000366 etc)

Leo Famulari writes: > This is a place to discuss the "stack crash" bugs as they apply to our > packages. > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366 > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt I pushed commit

bug#27429: Stack clash (CVE-2017-1000366 etc)

On the glibc bugs (CVE-2016-1000366), civodul said: [21:02:26] lfam: i *think* GuixSD is immune to the LD_LIBRARY_PATH one, FWIW [...] [21:02:43] lfam: because of the way is_trusted_path works in glibc https://gnunet.org/bot/log/guix/2017-06-19#T1422600 Relevant

bug#27429: Stack clash (CVE-2017-1000366 etc)

On Mon, Jun 19, 2017 at 07:05:10PM -0400, Leo Famulari wrote: > I'm currently testing the patch for CVE-2017-1000369 in Exim: > > https://git.exim.org/exim.git/commit/65e061b76867a9ea7aeeb535341b790b90ae6c21 > > "To reach the start of the stack with the end of the heap (man brk), we >

bug#27429: Stack clash (CVE-2017-1000366 etc)

I'm currently testing the patch for CVE-2017-1000369 in Exim: https://git.exim.org/exim.git/commit/65e061b76867a9ea7aeeb535341b790b90ae6c21 "To reach the start of the stack with the end of the heap (man brk), we permanently leak memory through multiple -p command-line arguments that are

bug#27429: Stack clash (CVE-2017-1000366 etc)

This is a place to discuss the "stack crash" bugs as they apply to our packages. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366 https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt signature.asc Description: PGP signature