Patching glibc for Garden Linux
Recent security bugs found in glibc required me to backport patches for glibc 2.35.
Usually, a security fix for Garden Linux can be achieved in two ways:
- Either it has been done by debian and Garden Linux can mirror that fixed package/version
- or Garden Linux rebuilds a fork of a debian package with backported security patches applied
We mirrored glibc/2.35-3 for Garden Linux 934.0 on October 18, 2022. However, on November 8, 2022, glibc 2.36-5 migrated to Debian testing.
No other debian distribution uses glibc 2.35, which means that debian does not update their debian patches for glibc for version 2.35.
glibc in GNU, Debian and Garden Linux
glibc 2.35 and glibc 2.36 are both actively maintained by gnu.org developers (upstream).
Good! glibc 2.35 receives patches from the gnu.org community, so we can still backport security fixes for our 2.35 version.
As mentioned in the introduction, debian also adds patches to glibc. We usually want these patches. Debian adds security, compatibility and license-compliance patches. These are not the kind of patches that I feel comfortable removing.
Debian patches added for debian’s glibc 2.35 can be found in the debian/2.35-4 branch of salsa.
The first patch that debian applies is actually a update patch from upstream called debian/patches/git-updates.diff.
All debian patches are applied after this git-updates.diff patch.
Problem 1
The debian patches rely on git-updates.diff.
This means we can not update git-updates.diff to include latest upstream changes without breaking the debian patches.
Ok, then lets just add the security relevant patches from upstream, right?
Problem 2
The security patches rely on changes (illustrated as Change X in the diagram above) not included in the git-updates.diff.
Ok, ok. Then why not throwing away the debian patches?
Problem 3
Sure, we can assume that the upstream source is tested and we do not end up in a total mess. Agreed. But, as mentioned, we need these debian patches. We would need to check a total of about ~120 patches.
cd debian/patches
ls -Rl | grep "^-" | wc -l
This patch for example handles some licensing issue. We might be lucky that this would not be of concern for Garden Linux, but this would require a bit of effort to verify: debian/patches/all/local-remove-manual.diff
We have 120 patches to check.
Solution
We need to fork debian’s glibc for Garden Linux, and rebuild it. For creating a patch release for 934.11 I will probably choose to face Problem 2 and port the security patches. Good news, I already did it for the GLIBC_TUNABLES exploit