From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 06 00:04:26 2021 Received: (at submit) by debbugs.gnu.org; 6 Mar 2021 05:04:26 +0000 Received: from localhost ([127.0.0.1]:35866 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lIP74-00013c-5Z for submit@debbugs.gnu.org; Sat, 06 Mar 2021 00:04:26 -0500 Received: from lists.gnu.org ([209.51.188.17]:60948) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lIP70-00013T-OS for submit@debbugs.gnu.org; Sat, 06 Mar 2021 00:04:25 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:58076) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lIP70-0003d3-HP for guix-patches@gnu.org; Sat, 06 Mar 2021 00:04:22 -0500 Received: from mail.zaclys.net ([178.33.93.72]:42793) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lIP6y-0002sK-AL for guix-patches@gnu.org; Sat, 06 Mar 2021 00:04:21 -0500 Received: from localhost.localdomain (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12654HlK006703 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sat, 6 Mar 2021 06:04:17 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12654HlK006703 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1615007058; bh=j+C/3iLSVI9lvRSE1dLQs/nQIaGQZ28cKt5FgKUl/iU=; h=From:To:Cc:Subject:Date:From; b=cQ4GNMfWINw7N+B8+Mt0J1BT50h+g8XH8CuASHPdP1ZcXtl4BHnkSENP+WVoIGJ5v 8tZz7IQ7aV2WerKf6+vo5+YBREFPIcU5fATZ9QeSNGIACR75moIkiipUJn8w2eViGo STB2pYh/qPBKvahNlvmwiklVcRYjoHddqJHjBXPM= From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= To: guix-patches@gnu.org Subject: [PATCH 0/1] WIP: gnu: newlib: Fix CVE-2021-3420. Date: Sat, 6 Mar 2021 06:04:09 +0100 Message-Id: <20210306050410.11022-1-lle-bout@zaclys.net> X-Mailer: git-send-email 2.30.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit Cc: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) newlib-CVE-2021-3420.patch needs backporting to the versions of newlib it is being applied to, so if you are interested or a user of those packages please finish the work, otherwise well CVE-2021-3420 will probably remain unfixed. The versions of newlib are too old and too specific for it to be maintainable security-wise, especially considering upstream does not seem to maintain older versions at all. I don't think GNU Guix should take that role, but of course the people who depend on these packages can ensure they are good enough for themselves, otherwise contribute changes. Léo Le Bouter (1): gnu: newlib: Fix CVE-2021-3420. gnu/local.mk | 1 + gnu/packages/embedded.scm | 6 +- .../patches/newlib-CVE-2021-3420.patch | 105 ++++++++++++++++++ 3 files changed, 110 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/newlib-CVE-2021-3420.patch -- 2.30.1