From 91c623aae0f10992aa46957b9072679534e4cd28 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Mon, 19 Jun 2017 23:07:43 -0400 Subject: [PATCH] gnu: linux-libre: Add mitigation for CVE-2017-1000364. This increases the stack guard gap size from one page to 1 MiB in linux-libre-4.11, 4.9, and 4.4, to mitigate CVE-2017-1000364 (Stack Clash). * gnu/packages/linux.scm (linux-libre, linux-libre-4.9, linux-libre-4.4): Add patch. --- gnu/packages/linux.scm | 36 +++++++++++++++++++++++++++++++++--- 1 file changed, 33 insertions(+), 3 deletions(-) diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 7d3b4bb239..3ec423422b 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -365,19 +365,49 @@ (define-public linux-libre (make-linux-libre %linux-libre-version %linux-libre-hash %intel-compatible-systems - #:configuration-file kernel-config)) + #:configuration-file kernel-config + #:patches + (list %boot-logo-patch + (origin + (method url-fetch) + (uri "\ +https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/patch/?id=167ec8235f978d7af78c73e9490dae1af3fee67f") + (file-name "linux-libre-4.11-CVE-2017-1000364.patch") + (sha256 + (base32 + "0hv3lxjgpssvsldkydg5q7znnzxv5ncpzrk6g11q01k3gkl0q689")))))) (define-public linux-libre-4.9 (make-linux-libre "4.9.33" "1dam6vqymhlx1vsl0lzxphamiifgyf97snxg18b2czqq402nz094" %intel-compatible-systems - #:configuration-file kernel-config)) + #:configuration-file kernel-config + #:patches + (list %boot-logo-patch + (origin + (method url-fetch) + (uri "\ +https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/patch/?id=37c40b6777f0bc8a63f616479c469b371097f333") + (file-name "linux-libre-4.9-CVE-2017-1000364.patch") + (sha256 + (base32 + "0zhnh8ysiqldxlnd50bjrxagzx29kc8nlajdrikii2x2ibkbfb4i")))))) (define-public linux-libre-4.4 (make-linux-libre "4.4.73" "144ssqw1dr86z4cgl797pq5rggfibsxqk7wmfbl6j92l1cj6yjrz" %intel-compatible-systems - #:configuration-file kernel-config)) + #:configuration-file kernel-config + #:patches + (list %boot-logo-patch + (origin + (method url-fetch) + (uri "\ +https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/patch/?id=87422f5b9b4f43efef4eaf37d7d040aed96500cb") + (file-name "linux-libre-4.4-CVE-2017-1000364.patch") + (sha256 + (base32 + "137p1cpiwlbvw4x12w1l23iy593xmdry60kd7j9kk690r9arfagw")))))) (define-public linux-libre-4.1 (make-linux-libre "4.1.41"