[20.09, staging] glibc: fix CVE-2020-6096 #104685
Conversation
redvers
changed the title
There was a problem hiding this comment.
The commit message needs some work, I'm sorry if I was not clear enough on what to put in.
I think something like this is more helpful:
glibc: fix CVE-2020-6096
Fixes a signed comparison vulnerability in the ARMv7 memcpy and memmove functions.
https://sourceware.org/bugzilla/show_bug.cgi?id=25620
Fixes: CVE-2020-6096
Attributes like Fixes, Reviewed-by, Tested-by et al. are usually put at the end of the commit message.
redvers
changed the title
|
Got it - I'll get that commit message massaged - one moment caller... |
|
@mweinelt - when you say "Reviewed-by:" and "Tested-by:" there's no entry for that in the commits for these two patches I've included direct links to the patches. |
redvers
force-pushed
the
update_glibc_2.31_cve-2020-6096
branch
from
2170c8b
to
a43a054
Compare
|
This also affects memmove. Check https://sourceware.org/bugzilla/show_bug.cgi?id=25620#c27. |
|
Yup - that patch is included - but I'll update the commit message to include it. |
Fixes an exploitable signed comparison vulnerabilty in the ARMv7 memcpy() and memmove() https://sourceware.org/bugzilla/show_bug.cgi?id=25620 Contains patches: 2.31-cve-2020-6096.0.patch -> https://sourceware.org/git/?p=glibc.git;a=patch;h=79a4fa341b8a89cb03f84564fd72abaa1a2db394 2.31-cve-2020-6096.1.patch -> https://sourceware.org/git/?p=glibc.git;a=patch;h=beea361050728138b82c57dda0c4810402d342b9 Fixes: CVE-2020-6096
redvers
force-pushed
the
update_glibc_2.31_cve-2020-6096
branch
from
a43a054
to
67f254e
Compare
|
Is this already mitigated in master? If yes, how and where? Why can't we backport that solution? |
mweinelt
changed the title
|
For what it's worth this looks fine. I've build the small release set of NixOS against this PR and only the scipy build fails (which is IIRC unrelated to this change): https://hydra.h4ck.space/build/338254#tabs-constituents |
Yes, it was mitigated by bumping to 2.32 which I did open as a cherry-picked PR upon which I received my first ever thumbs-down on a PR :-) Apparently the bump to 2.32 has so many changes there's still stuff in master that is broken. |
|
Oh, I see you decided for a single patch instead of the whole upstream 2.31 branch? I hope we won't be missing some important fix, but anyway... such changes can come later. Detail: our aarch64 rebuild will take quite a long time, considering that the platform isn't said to be affected, but if you don't hurry, the non-conditional patching does appear cleanr. |
andir
changed the title
|
@vcunat - after discussions on #nixos-security we decided to pull the minimal changeset to address the security vulnerability. There's so much domain knowledge required to make a judgement call as to which patches are fixes and which are 'fixes that will break things' that we took the safest path. The provided patches only patch the arm arch specific files - the safest option. As you said, other potential patches are better left for later in the hands of someone better equipped to deal with that domain. |
|
Sure, I never suggested going through all the patches. Take the whole branch as upstream picked which patches were considered suitable for the stable branch – or just take some specific ones like you decided to do. |
Motivation for this change
Addresses: #93992 - CVE-2020-6092
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)I do not own an arm7 system to test the build on - but my local x86_64 system continues to be happy.