From d659fe8666c4bc38fcbdbe7b7a35101f2d7cc41b Mon Sep 17 00:00:00 2001
From: John Kehayias <john@guixotic.coop>
Date: Sun, 15 Feb 2026 23:35:20 -0500
Subject: gnu: glibc: Graft with fix for unsafe env variable [security-fixes].

Before this change, the environment variable GUIX_LOCPATH is not in the unsafe
variable list, meaning that it is not unset in a privileged environment.  This
could lead to potential security issues.  A CVE number is pending for this
issue.  A similar upstream glibc issue was CVE-2023-4911.

* gnu/packages/base.scm (glibc)[replacement]: Add field to graft with ...
(glibc/fixed): ... this new package.
* gnu/packages/patches/glibc-guix-locpath.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.

Change-Id: I74d87ce543bfba7d5f424efb2b87926ca336c725
Reported-by: "Stefan" <stefan-guix@vodafonemail.de>
---
 gnu/local.mk | 1 +
 1 file changed, 1 insertion(+)

(limited to 'gnu/local.mk')

diff --git a/gnu/local.mk b/gnu/local.mk
index 195448c6a70..797e063c759 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1482,6 +1482,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/glibc-cross-objcopy.patch		\
   %D%/packages/patches/glibc-cross-objdump.patch		\
   %D%/packages/patches/glibc-dl-cache.patch			\
+  %D%/packages/patches/glibc-guix-locpath.patch			\
   %D%/packages/patches/glibc-hidden-visibility-ldconfig.patch	\
   %D%/packages/patches/glibc-hurd-clock_gettime_monotonic.patch	\
   %D%/packages/patches/glibc-hurd-clock_t_centiseconds.patch	\
-- 
cgit v1.3