From d659fe8666c4bc38fcbdbe7b7a35101f2d7cc41b Mon Sep 17 00:00:00 2001 From: John Kehayias Date: Sun, 15 Feb 2026 23:35:20 -0500 Subject: [PATCH] gnu: glibc: Graft with fix for unsafe env variable [security-fixes]. Before this change, the environment variable GUIX_LOCPATH is not in the unsafe variable list, meaning that it is not unset in a privileged environment. This could lead to potential security issues. A CVE number is pending for this issue. A similar upstream glibc issue was CVE-2023-4911. * gnu/packages/base.scm (glibc)[replacement]: Add field to graft with ... (glibc/fixed): ... this new package. * gnu/packages/patches/glibc-guix-locpath.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. Change-Id: I74d87ce543bfba7d5f424efb2b87926ca336c725 Reported-by: "Stefan" --- gnu/local.mk | 1 + gnu/packages/base.scm | 14 +++++++++++++- gnu/packages/patches/glibc-guix-locpath.patch | 13 +++++++++++++ 3 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/glibc-guix-locpath.patch diff --git a/gnu/local.mk b/gnu/local.mk index 195448c6a7..797e063c75 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1482,6 +1482,7 @@ dist_patch_DATA = \ %D%/packages/patches/glibc-cross-objcopy.patch \ %D%/packages/patches/glibc-cross-objdump.patch \ %D%/packages/patches/glibc-dl-cache.patch \ + %D%/packages/patches/glibc-guix-locpath.patch \ %D%/packages/patches/glibc-hidden-visibility-ldconfig.patch \ %D%/packages/patches/glibc-hurd-clock_gettime_monotonic.patch \ %D%/packages/patches/glibc-hurd-clock_t_centiseconds.patch \ diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 81913168c1..31ad20e2ee 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -21,7 +21,7 @@ ;;; Copyright © 2021 Guillaume Le Vaillant ;;; Copyright © 2021, 2024 Maxim Cournoyer ;;; Copyright © 2022 zamfofex -;;; Copyright © 2022 John Kehayias +;;; Copyright © 2022, 2026 John Kehayias ;;; Copyright © 2023 Josselin Poiret ;;; Copyright © 2024, 2025 Zheng Junjie ;;; @@ -957,6 +957,7 @@ the store.") (properties `((lint-hidden-cve . ("CVE-2024-2961" "CVE-2024-33601" "CVE-2024-33602" "CVE-2024-33600" "CVE-2024-33599")))) + (replacement glibc/fixed) (build-system gnu-build-system) ;; Glibc's refers to , for instance, so glibc @@ -1234,6 +1235,17 @@ with the Linux kernel.") (license lgpl2.0+) (home-page "https://www.gnu.org/software/libc/"))) +(define glibc/fixed + (package + (inherit glibc) + (name "glibc") + (source (origin + (inherit (package-source glibc)) + ;; XXX: When ungrafting, add the included patch to + ;; %glibc-patches. + (patches (cons (search-patch "glibc-guix-locpath.patch") + (origin-patches (package-source glibc)))))))) + ;; Define a variation of glibc which uses the default /etc/ld.so.cache, useful ;; in FHS containers. (define-public glibc-for-fhs diff --git a/gnu/packages/patches/glibc-guix-locpath.patch b/gnu/packages/patches/glibc-guix-locpath.patch new file mode 100644 index 0000000000..5bba574a8c --- /dev/null +++ b/gnu/packages/patches/glibc-guix-locpath.patch @@ -0,0 +1,13 @@ +Patch to add the GUIX_LOCPATH environment variable to ones that should +be unset for SUID programs, same as LOCPATH. + +--- glibc-2.41-old/sysdeps/generic/unsecvars.h ++++ glibc-2.41/sysdeps/generic/unsecvars.h +@@ -5,6 +5,7 @@ + "GCONV_PATH\0" \ + "GETCONF_DIR\0" \ + "GLIBC_TUNABLES\0" \ ++ "GUIX_LOCPATH\0" \ + "HOSTALIASES\0" \ + "LD_AUDIT\0" \ + "LD_BIND_NOT\0" \