gnu: glibc: Graft with fix for unsafe env variable [security-fixes].

Before this change, the environment variable GUIX_LOCPATH is not in the unsafe variable list, meaning that it is not unset in a privileged environment. This could lead to potential security issues. A CVE number is pending for this issue. A similar upstream glibc issue was CVE-2023-4911. * gnu/packages/base.scm (glibc)[replacement]: Add field to graft with ... (glibc/fixed): ... this new package. * gnu/packages/patches/glibc-guix-locpath.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. Change-Id: I74d87ce543bfba7d5f424efb2b87926ca336c725 Reported-by: "Stefan" <stefan-guix@vodafonemail.de>
2026-04-06 21:20:33 +02:00 · 2026-02-15 23:35:20 -05:00
parent 86c4c07971
commit d659fe8666
3 changed files with 27 additions and 1 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1482,6 +1482,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/glibc-cross-objcopy.patch		\
  %D%/packages/patches/glibc-cross-objdump.patch		\
  %D%/packages/patches/glibc-dl-cache.patch			\
+  %D%/packages/patches/glibc-guix-locpath.patch			\
  %D%/packages/patches/glibc-hidden-visibility-ldconfig.patch	\
  %D%/packages/patches/glibc-hurd-clock_gettime_monotonic.patch	\
  %D%/packages/patches/glibc-hurd-clock_t_centiseconds.patch	\
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -21,7 +21,7 @@
 ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
 ;;; Copyright © 2021, 2024 Maxim Cournoyer <maxim@guixotic.coop>
 ;;; Copyright © 2022 zamfofex <zamfofex@twdb.moe>
-;;; Copyright © 2022 John Kehayias <john.kehayias@protonmail.com>
+;;; Copyright © 2022, 2026 John Kehayias <john@guixotic.coop>
 ;;; Copyright © 2023 Josselin Poiret <dev@jpoiret.xyz>
 ;;; Copyright © 2024, 2025 Zheng Junjie <z572@z572.online>
 ;;;
@@ -957,6 +957,7 @@ the store.")
   (properties `((lint-hidden-cve . ("CVE-2024-2961"
                                     "CVE-2024-33601" "CVE-2024-33602"
                                     "CVE-2024-33600" "CVE-2024-33599"))))
+   (replacement glibc/fixed)
   (build-system gnu-build-system)

   ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
@@ -1234,6 +1235,17 @@ with the Linux kernel.")
   (license lgpl2.0+)
   (home-page "https://www.gnu.org/software/libc/")))

+(define glibc/fixed
+  (package
+    (inherit glibc)
+    (name "glibc")
+    (source (origin
+              (inherit (package-source glibc))
+              ;; XXX: When ungrafting, add the included patch to
+              ;; %glibc-patches.
+              (patches (cons (search-patch "glibc-guix-locpath.patch")
+                             (origin-patches (package-source glibc))))))))
+
 ;; Define a variation of glibc which uses the default /etc/ld.so.cache, useful
 ;; in FHS containers.
 (define-public glibc-for-fhs
--- a/gnu/packages/patches/glibc-guix-locpath.patch
+++ b/gnu/packages/patches/glibc-guix-locpath.patch
@@ -0,0 +1,13 @@
+Patch to add the GUIX_LOCPATH environment variable to ones that should
+be unset for SUID programs, same as LOCPATH.
+
+--- glibc-2.41-old/sysdeps/generic/unsecvars.h
+++ glibc-2.41/sysdeps/generic/unsecvars.h
+@@ -5,6 +5,7 @@
+   "GCONV_PATH\0"							      \
+   "GETCONF_DIR\0"							      \
+   "GLIBC_TUNABLES\0"							      \
+  "GUIX_LOCPATH\0"							      \
+   "HOSTALIASES\0"							      \
+   "LD_AUDIT\0"								      \
+   "LD_BIND_NOT\0"							      \