summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/base.scm28
-rw-r--r--gnu/packages/patches/glibc-CVE-2019-19126.patch22
3 files changed, 46 insertions, 5 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index fef7fd1e28..25dfef3849 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -906,6 +906,7 @@ dist_patch_DATA = \
%D%/packages/patches/glibc-CVE-2018-11237.patch \
%D%/packages/patches/glibc-CVE-2019-7309.patch \
%D%/packages/patches/glibc-CVE-2019-9169.patch \
+ %D%/packages/patches/glibc-CVE-2019-19126.patch \
%D%/packages/patches/glibc-allow-kernel-2.6.32.patch \
%D%/packages/patches/glibc-boot-2.16.0.patch \
%D%/packages/patches/glibc-boot-2.2.5.patch \
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index a444213a84..caaa04258c 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -567,13 +567,13 @@ the store.")
;; version 2.28, GNU/Hurd used a different glibc branch.
(package
(name "glibc")
- (version "2.29")
+ (version "2.30")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/glibc/glibc-" version ".tar.xz"))
(sha256
(base32
- "0jzh58728flfh939a8k9pi1zdyalfzlxmwra7k0rzji5gvavivpk"))
+ "1bxqpg91d02qnaz837a5kamm0f43pr1il4r9pknygywsar713i72"))
(snippet
;; Disable 'ldconfig' and /etc/ld.so.cache. The latter is
;; required on LFS distros to avoid loading the distro's libc.so
@@ -585,9 +585,7 @@ the store.")
#t))
(modules '((guix build utils)))
(patches (search-patches "glibc-ldd-x86_64.patch"
- "glibc-CVE-2019-7309.patch"
- "glibc-CVE-2019-9169.patch"
- "glibc-2.29-git-updates.patch"
+ "glibc-CVE-2019-19126.patch"
"glibc-hidden-visibility-ldconfig.patch"
"glibc-versioned-locpath.patch"
"glibc-allow-kernel-2.6.32.patch"
@@ -819,6 +817,26 @@ with the Linux kernel.")
;; Below are old libc versions, which we use mostly to build locale data in
;; the old format (which the new libc cannot cope with.)
+(define-public glibc-2.29
+ (package
+ (inherit glibc)
+ (version "2.29")
+ (source (origin
+ (inherit (package-source glibc))
+ (uri (string-append "mirror://gnu/glibc/glibc-" version ".tar.xz"))
+ (sha256
+ (base32
+ "0jzh58728flfh939a8k9pi1zdyalfzlxmwra7k0rzji5gvavivpk"))
+ (patches (search-patches "glibc-ldd-x86_64.patch"
+ "glibc-CVE-2019-7309.patch"
+ "glibc-CVE-2019-9169.patch"
+ "glibc-2.29-git-updates.patch"
+ "glibc-hidden-visibility-ldconfig.patch"
+ "glibc-versioned-locpath.patch"
+ "glibc-allow-kernel-2.6.32.patch"
+ "glibc-reinstate-prlimit64-fallback.patch"
+ "glibc-supported-locales.patch"))))))
+
(define-public glibc-2.28
(package
(inherit glibc)
diff --git a/gnu/packages/patches/glibc-CVE-2019-19126.patch b/gnu/packages/patches/glibc-CVE-2019-19126.patch
new file mode 100644
index 0000000000..5b9ac58ab7
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2019-19126.patch
@@ -0,0 +1,22 @@
+Fix CVE-2019-19126:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19126
+https://sourceware.org/bugzilla/show_bug.cgi?id=25204
+
+Taken from upstream:
+https://sourceware.org/git/?p=glibc.git;a=commit;h=37c90e117310728a4ad1eb998c0bbe7d79c4a398
+
+diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
+index 975cbe2..df2cdfd 100644
+--- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
++++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
+@@ -31,7 +31,8 @@
+ environment variable, LD_PREFER_MAP_32BIT_EXEC. */
+ #define EXTRA_LD_ENVVARS \
+ case 21: \
+- if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \
++ if (!__libc_enable_secure \
++ && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \
+ GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \
+ |= bit_arch_Prefer_MAP_32BIT_EXEC; \
+ break;