diff options
| author | John Kehayias <john@guixotic.coop> | 2026-02-15 23:35:20 -0500 |
|---|---|---|
| committer | John Kehayias <john@guixotic.coop> | 2026-02-20 01:08:07 -0500 |
| commit | d659fe8666c4bc38fcbdbe7b7a35101f2d7cc41b (patch) | |
| tree | 06b4790f823dbadf067b06783c03216317849b21 /gnu/packages/base.scm | |
| parent | 86c4c0797115047155701083eee30163904f36ed (diff) | |
gnu: glibc: Graft with fix for unsafe env variable [security-fixes].
Before this change, the environment variable GUIX_LOCPATH is not in the unsafe
variable list, meaning that it is not unset in a privileged environment. This
could lead to potential security issues. A CVE number is pending for this
issue. A similar upstream glibc issue was CVE-2023-4911.
* gnu/packages/base.scm (glibc)[replacement]: Add field to graft with ...
(glibc/fixed): ... this new package.
* gnu/packages/patches/glibc-guix-locpath.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
Change-Id: I74d87ce543bfba7d5f424efb2b87926ca336c725
Reported-by: "Stefan" <stefan-guix@vodafonemail.de>
Diffstat (limited to 'gnu/packages/base.scm')
| -rw-r--r-- | gnu/packages/base.scm | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 81913168c16..31ad20e2ee9 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -21,7 +21,7 @@ ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net> ;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim@guixotic.coop> ;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe> -;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com> +;;; Copyright © 2022, 2026 John Kehayias <john@guixotic.coop> ;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz> ;;; Copyright © 2024, 2025 Zheng Junjie <z572@z572.online> ;;; @@ -957,6 +957,7 @@ the store.") (properties `((lint-hidden-cve . ("CVE-2024-2961" "CVE-2024-33601" "CVE-2024-33602" "CVE-2024-33600" "CVE-2024-33599")))) + (replacement glibc/fixed) (build-system gnu-build-system) ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc @@ -1234,6 +1235,17 @@ with the Linux kernel.") (license lgpl2.0+) (home-page "https://www.gnu.org/software/libc/"))) +(define glibc/fixed + (package + (inherit glibc) + (name "glibc") + (source (origin + (inherit (package-source glibc)) + ;; XXX: When ungrafting, add the included patch to + ;; %glibc-patches. + (patches (cons (search-patch "glibc-guix-locpath.patch") + (origin-patches (package-source glibc)))))))) + ;; Define a variation of glibc which uses the default /etc/ld.so.cache, useful ;; in FHS containers. (define-public glibc-for-fhs |