diff options
| -rw-r--r-- | gnu/local.mk | 1 | ||||
| -rw-r--r-- | gnu/packages/base.scm | 14 | ||||
| -rw-r--r-- | gnu/packages/patches/glibc-guix-locpath.patch | 13 |
3 files changed, 27 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 195448c6a70..797e063c759 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1482,6 +1482,7 @@ dist_patch_DATA = \ %D%/packages/patches/glibc-cross-objcopy.patch \ %D%/packages/patches/glibc-cross-objdump.patch \ %D%/packages/patches/glibc-dl-cache.patch \ + %D%/packages/patches/glibc-guix-locpath.patch \ %D%/packages/patches/glibc-hidden-visibility-ldconfig.patch \ %D%/packages/patches/glibc-hurd-clock_gettime_monotonic.patch \ %D%/packages/patches/glibc-hurd-clock_t_centiseconds.patch \ diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 81913168c16..31ad20e2ee9 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -21,7 +21,7 @@ ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net> ;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim@guixotic.coop> ;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe> -;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com> +;;; Copyright © 2022, 2026 John Kehayias <john@guixotic.coop> ;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz> ;;; Copyright © 2024, 2025 Zheng Junjie <z572@z572.online> ;;; @@ -957,6 +957,7 @@ the store.") (properties `((lint-hidden-cve . ("CVE-2024-2961" "CVE-2024-33601" "CVE-2024-33602" "CVE-2024-33600" "CVE-2024-33599")))) + (replacement glibc/fixed) (build-system gnu-build-system) ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc @@ -1234,6 +1235,17 @@ with the Linux kernel.") (license lgpl2.0+) (home-page "https://www.gnu.org/software/libc/"))) +(define glibc/fixed + (package + (inherit glibc) + (name "glibc") + (source (origin + (inherit (package-source glibc)) + ;; XXX: When ungrafting, add the included patch to + ;; %glibc-patches. + (patches (cons (search-patch "glibc-guix-locpath.patch") + (origin-patches (package-source glibc)))))))) + ;; Define a variation of glibc which uses the default /etc/ld.so.cache, useful ;; in FHS containers. (define-public glibc-for-fhs diff --git a/gnu/packages/patches/glibc-guix-locpath.patch b/gnu/packages/patches/glibc-guix-locpath.patch new file mode 100644 index 00000000000..5bba574a8c8 --- /dev/null +++ b/gnu/packages/patches/glibc-guix-locpath.patch @@ -0,0 +1,13 @@ +Patch to add the GUIX_LOCPATH environment variable to ones that should +be unset for SUID programs, same as LOCPATH. + +--- glibc-2.41-old/sysdeps/generic/unsecvars.h ++++ glibc-2.41/sysdeps/generic/unsecvars.h +@@ -5,6 +5,7 @@ + "GCONV_PATH\0" \ + "GETCONF_DIR\0" \ + "GLIBC_TUNABLES\0" \ ++ "GUIX_LOCPATH\0" \ + "HOSTALIASES\0" \ + "LD_AUDIT\0" \ + "LD_BIND_NOT\0" \ |