PHP, glibc, and CVE-2024-2961

Details

3 participants

Recipients:(address . bug-guix@gnu.org)

Message-ID:D0TUHV4220TM.G0XZHTPBKVOQ@guix

Hello Guix,

Last week, an overflow bug in glibc's iconv(3) was discovered:

It may enable remove code execution through PHP. Due to

the immutable nature of Guix, is it possible to hotpatch

this using graft, or do we need to rebuild to world?

Kind regards,

McSinyx

Liliana Marie Prikler wrote on 26 Apr 09:20 +0200

Recipients:(address . guix-security@gnu.org)

Message-ID:d3ec3ac455aa73747b9451100ed10f31ca65f64d.camel@ist.tugraz.at

Hi McSinyx,

security-relevant bugs ought to go to <guix-security@gnu.org>, see [1].

Since a patch exists for glibc all the way back to 2.30, I suppose a

graft can be used and should be performed timely.

Cheers

Ludovic Courtès wrote on 25 May 11:12 +0200

control message for bug #70581

Recipients:(address . control@debbugs.gnu.org)

Message-ID:877cfi45nf.fsf@gnu.org

tags 70581 + security

quit

Your comment

Commenting via the web interface is currently disabled.

To respond to this issue using the mumi CLI, first switch to it

mumi current 70581

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch