guix_mirror_bot pushed a commit to branch master
in repository guix.
commit d659fe8666c4bc38fcbdbe7b7a35101f2d7cc41b
Author: John Kehayias <[email protected]>
AuthorDate: Sun Feb 15 23:35:20 2026 -0500
gnu: glibc: Graft with fix for unsafe env variable [security-fixes].
Before this change, the environment variable GUIX_LOCPATH is not in the
unsafe
variable list, meaning that it is not unset in a privileged environment.
This
could lead to potential security issues. A CVE number is pending for this
issue. A similar upstream glibc issue was CVE-2023-4911.
* gnu/packages/base.scm (glibc)[replacement]: Add field to graft with ...
(glibc/fixed): ... this new package.
* gnu/packages/patches/glibc-guix-locpath.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
Change-Id: I74d87ce543bfba7d5f424efb2b87926ca336c725
Reported-by: "Stefan" <[email protected]>
---
gnu/local.mk | 1 +
gnu/packages/base.scm | 14 +++++++++++++-
gnu/packages/patches/glibc-guix-locpath.patch | 13 +++++++++++++
3 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 195448c6a7..797e063c75 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1482,6 +1482,7 @@ dist_patch_DATA =
\
%D%/packages/patches/glibc-cross-objcopy.patch \
%D%/packages/patches/glibc-cross-objdump.patch \
%D%/packages/patches/glibc-dl-cache.patch \
+ %D%/packages/patches/glibc-guix-locpath.patch \
%D%/packages/patches/glibc-hidden-visibility-ldconfig.patch \
%D%/packages/patches/glibc-hurd-clock_gettime_monotonic.patch \
%D%/packages/patches/glibc-hurd-clock_t_centiseconds.patch \
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 81913168c1..31ad20e2ee 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -21,7 +21,7 @@
;;; Copyright © 2021 Guillaume Le Vaillant <[email protected]>
;;; Copyright © 2021, 2024 Maxim Cournoyer <[email protected]>
;;; Copyright © 2022 zamfofex <[email protected]>
-;;; Copyright © 2022 John Kehayias <[email protected]>
+;;; Copyright © 2022, 2026 John Kehayias <[email protected]>
;;; Copyright © 2023 Josselin Poiret <[email protected]>
;;; Copyright © 2024, 2025 Zheng Junjie <[email protected]>
;;;
@@ -957,6 +957,7 @@ the store.")
(properties `((lint-hidden-cve . ("CVE-2024-2961"
"CVE-2024-33601" "CVE-2024-33602"
"CVE-2024-33600" "CVE-2024-33599"))))
+ (replacement glibc/fixed)
(build-system gnu-build-system)
;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
@@ -1234,6 +1235,17 @@ with the Linux kernel.")
(license lgpl2.0+)
(home-page "https://www.gnu.org/software/libc/";)))
+(define glibc/fixed
+ (package
+ (inherit glibc)
+ (name "glibc")
+ (source (origin
+ (inherit (package-source glibc))
+ ;; XXX: When ungrafting, add the included patch to
+ ;; %glibc-patches.
+ (patches (cons (search-patch "glibc-guix-locpath.patch")
+ (origin-patches (package-source glibc))))))))
+
;; Define a variation of glibc which uses the default /etc/ld.so.cache, useful
;; in FHS containers.
(define-public glibc-for-fhs
diff --git a/gnu/packages/patches/glibc-guix-locpath.patch
b/gnu/packages/patches/glibc-guix-locpath.patch
new file mode 100644
index 0000000000..5bba574a8c
--- /dev/null
+++ b/gnu/packages/patches/glibc-guix-locpath.patch
@@ -0,0 +1,13 @@
+Patch to add the GUIX_LOCPATH environment variable to ones that should
+be unset for SUID programs, same as LOCPATH.
+
+--- glibc-2.41-old/sysdeps/generic/unsecvars.h
++++ glibc-2.41/sysdeps/generic/unsecvars.h
+@@ -5,6 +5,7 @@
+ "GCONV_PATH\0" \
+ "GETCONF_DIR\0" \
+ "GLIBC_TUNABLES\0" \
++ "GUIX_LOCPATH\0" \
+ "HOSTALIASES\0" \
+ "LD_AUDIT\0"
\
+ "LD_BIND_NOT\0" \
