New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[20.09, staging] glibc: fix CVE-2020-6096 #104685
[20.09, staging] glibc: fix CVE-2020-6096 #104685
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The commit message needs some work, I'm sorry if I was not clear enough on what to put in.
I think something like this is more helpful:
glibc: fix CVE-2020-6096
Fixes a signed comparison vulnerability in the ARMv7 memcpy and memmove functions.
https://sourceware.org/bugzilla/show_bug.cgi?id=25620
Fixes: CVE-2020-6096
Attributes like Fixes
, Reviewed-by
, Tested-by
et al. are usually put at the end of the commit message.
Got it - I'll get that commit message massaged - one moment caller... |
@mweinelt - when you say "Reviewed-by:" and "Tested-by:" there's no entry for that in the commits for these two patches I've included direct links to the patches. |
2170c8b
to
a43a054
Compare
This also affects memmove. Check https://sourceware.org/bugzilla/show_bug.cgi?id=25620#c27. |
Yup - that patch is included - but I'll update the commit message to include it. |
Fixes an exploitable signed comparison vulnerabilty in the ARMv7 memcpy() and memmove() https://sourceware.org/bugzilla/show_bug.cgi?id=25620 Contains patches: 2.31-cve-2020-6096.0.patch -> https://sourceware.org/git/?p=glibc.git;a=patch;h=79a4fa341b8a89cb03f84564fd72abaa1a2db394 2.31-cve-2020-6096.1.patch -> https://sourceware.org/git/?p=glibc.git;a=patch;h=beea361050728138b82c57dda0c4810402d342b9 Fixes: CVE-2020-6096
a43a054
to
67f254e
Compare
Is this already mitigated in master? If yes, how and where? Why can't we backport that solution? |
For what it's worth this looks fine. I've build the small release set of NixOS against this PR and only the scipy build fails (which is IIRC unrelated to this change): https://hydra.h4ck.space/build/338254#tabs-constituents |
Yes, it was mitigated by bumping to 2.32 which I did open as a cherry-picked PR upon which I received my first ever thumbs-down on a PR :-) Apparently the bump to 2.32 has so many changes there's still stuff in master that is broken. |
Oh, I see you decided for a single patch instead of the whole upstream 2.31 branch? I hope we won't be missing some important fix, but anyway... such changes can come later. Detail: our aarch64 rebuild will take quite a long time, considering that the platform isn't said to be affected, but if you don't hurry, the non-conditional patching does appear cleanr. |
@vcunat - after discussions on #nixos-security we decided to pull the minimal changeset to address the security vulnerability. There's so much domain knowledge required to make a judgement call as to which patches are fixes and which are 'fixes that will break things' that we took the safest path. The provided patches only patch the arm arch specific files - the safest option. As you said, other potential patches are better left for later in the hands of someone better equipped to deal with that domain. |
Sure, I never suggested going through all the patches. Take the whole branch as upstream picked which patches were considered suitable for the stable branch – or just take some specific ones like you decided to do. |
Motivation for this change
Addresses: #93992 - CVE-2020-6092
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)I do not own an arm7 system to test the build on - but my local x86_64 system continues to be happy.