From 0b3df5c913af91bc196bb8cb41783126e55bf5a0 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Fri, 29 Nov 2019 17:44:25 +0100 Subject: [PATCH] gnu: glibc: Update to 2.30. * gnu/packages/patches/glibc-CVE-2019-19126.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/base.scm (glibc): Update to 2.30. [source](patches): Adjust for 2.30. (glibc-2.29): New public variable. --- gnu/local.mk | 1 + gnu/packages/base.scm | 28 +++++++++++++++---- .../patches/glibc-CVE-2019-19126.patch | 22 +++++++++++++++ 3 files changed, 46 insertions(+), 5 deletions(-) create mode 100644 gnu/packages/patches/glibc-CVE-2019-19126.patch diff --git a/gnu/local.mk b/gnu/local.mk index fef7fd1e28..25dfef3849 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -906,6 +906,7 @@ dist_patch_DATA = \ %D%/packages/patches/glibc-CVE-2018-11237.patch \ %D%/packages/patches/glibc-CVE-2019-7309.patch \ %D%/packages/patches/glibc-CVE-2019-9169.patch \ + %D%/packages/patches/glibc-CVE-2019-19126.patch \ %D%/packages/patches/glibc-allow-kernel-2.6.32.patch \ %D%/packages/patches/glibc-boot-2.16.0.patch \ %D%/packages/patches/glibc-boot-2.2.5.patch \ diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index a444213a84..caaa04258c 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -567,13 +567,13 @@ (define-public glibc ;; version 2.28, GNU/Hurd used a different glibc branch. (package (name "glibc") - (version "2.29") + (version "2.30") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/glibc/glibc-" version ".tar.xz")) (sha256 (base32 - "0jzh58728flfh939a8k9pi1zdyalfzlxmwra7k0rzji5gvavivpk")) + "1bxqpg91d02qnaz837a5kamm0f43pr1il4r9pknygywsar713i72")) (snippet ;; Disable 'ldconfig' and /etc/ld.so.cache. The latter is ;; required on LFS distros to avoid loading the distro's libc.so @@ -585,9 +585,7 @@ (define-public glibc #t)) (modules '((guix build utils))) (patches (search-patches "glibc-ldd-x86_64.patch" - "glibc-CVE-2019-7309.patch" - "glibc-CVE-2019-9169.patch" - "glibc-2.29-git-updates.patch" + "glibc-CVE-2019-19126.patch" "glibc-hidden-visibility-ldconfig.patch" "glibc-versioned-locpath.patch" "glibc-allow-kernel-2.6.32.patch" @@ -819,6 +817,26 @@ (define (linker-script? file) ;; Below are old libc versions, which we use mostly to build locale data in ;; the old format (which the new libc cannot cope with.) +(define-public glibc-2.29 + (package + (inherit glibc) + (version "2.29") + (source (origin + (inherit (package-source glibc)) + (uri (string-append "mirror://gnu/glibc/glibc-" version ".tar.xz")) + (sha256 + (base32 + "0jzh58728flfh939a8k9pi1zdyalfzlxmwra7k0rzji5gvavivpk")) + (patches (search-patches "glibc-ldd-x86_64.patch" + "glibc-CVE-2019-7309.patch" + "glibc-CVE-2019-9169.patch" + "glibc-2.29-git-updates.patch" + "glibc-hidden-visibility-ldconfig.patch" + "glibc-versioned-locpath.patch" + "glibc-allow-kernel-2.6.32.patch" + "glibc-reinstate-prlimit64-fallback.patch" + "glibc-supported-locales.patch")))))) + (define-public glibc-2.28 (package (inherit glibc) diff --git a/gnu/packages/patches/glibc-CVE-2019-19126.patch b/gnu/packages/patches/glibc-CVE-2019-19126.patch new file mode 100644 index 0000000000..5b9ac58ab7 --- /dev/null +++ b/gnu/packages/patches/glibc-CVE-2019-19126.patch @@ -0,0 +1,22 @@ +Fix CVE-2019-19126: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19126 +https://sourceware.org/bugzilla/show_bug.cgi?id=25204 + +Taken from upstream: +https://sourceware.org/git/?p=glibc.git;a=commit;h=37c90e117310728a4ad1eb998c0bbe7d79c4a398 + +diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +index 975cbe2..df2cdfd 100644 +--- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h ++++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +@@ -31,7 +31,8 @@ + environment variable, LD_PREFER_MAP_32BIT_EXEC. */ + #define EXTRA_LD_ENVVARS \ + case 21: \ +- if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ ++ if (!__libc_enable_secure \ ++ && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ + GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \ + |= bit_arch_Prefer_MAP_32BIT_EXEC; \ + break;