[prev in list] [next in list] [prev in thread] [next in thread]
List: crux
Subject: ports/core (2.6): [notify] glibc: security fix for CVE-2010-3847
From: crux () crux ! nu
Date: 2010-10-26 12:59:25
Message-ID: 4cc6d0ad.eG2b1mSECsUB2Iwz%crux () crux ! nu
[Download RAW message or body]
commit f6826a058ad0548a4046f8193fc28aa2329b78b1
Author: Juergen Daubert <jue@jue.li>
Date: Tue Oct 26 14:57:52 2010 +0200
[notify] glibc: security fix for CVE-2010-3847 and CVE-2010-3856
Important security fix, a local attacker could exploit this to
gain root privileges.
See
- http://seclists.org/fulldisclosure/2010/Oct/257
- http://seclists.org/fulldisclosure/2010/Oct/344
diff --git a/glibc/.md5sum b/glibc/.md5sum
index abf400b..7422bc9 100644
--- a/glibc/.md5sum
+++ b/glibc/.md5sum
@@ -1,3 +1,5 @@
+733615b9c7f778639725ca40dbb781c6 CVE-2010-3847.patch
+e64fc10ef089b48de254b5322b54cd42 CVE-2010-3856.patch
ee71dedf724dc775e4efec9b823ed3be glibc-2.10.1.tar.bz2
8ef88560ec608d5923ee05eb5f0e15ea glibc-libidn-2.10.1.tar.bz2
96156bec8e05de67384dc93e72bdc313 host.conf
diff --git a/glibc/CVE-2010-3847.patch b/glibc/CVE-2010-3847.patch
new file mode 100644
index 0000000..3b2bd1c
--- /dev/null
+++ b/glibc/CVE-2010-3847.patch
@@ -0,0 +1,98 @@
+# http://seclists.org/fulldisclosure/2010/Oct/257
+# http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html
+
+Path elements containing $ORIGIN should always be ignored in privileged
+programs.
+
+Andreas.
+
+2010-10-18 Andreas Schwab <schwab@redhat.com>
+
+ * elf/dl-load.c (is_dst): Remove last parameter.
+ (_dl_dst_count): Ignore $ORIGIN in privileged programs.
+ (_dl_dst_substitute): Likewise.
+---
+ elf/dl-load.c | 30 +++++++++++++-----------------
+ 1 files changed, 13 insertions(+), 17 deletions(-)
+
+diff --git a/elf/dl-load.c b/elf/dl-load.c
+index a7162eb..776f7e4 100644
+--- a/elf/dl-load.c
++++ b/elf/dl-load.c
+@@ -169,8 +169,7 @@ local_strdup (const char *s)
+
+
+ static size_t
+-is_dst (const char *start, const char *name, const char *str,
+- int is_path, int secure)
++is_dst (const char *start, const char *name, const char *str, int is_path)
+ {
+ size_t len;
+ bool is_curly = false;
+@@ -199,11 +198,6 @@ is_dst (const char *start, const char *name, const char *str,
+ && (!is_path || name[len] != ':'))
+ return 0;
+
+- if (__builtin_expect (secure, 0)
+- && ((name[len] != '\0' && (!is_path || name[len] != ':'))
+- || (name != start + 1 && (!is_path || name[-2] != ':'))))
+- return 0;
+-
+ return len;
+ }
+
+@@ -218,13 +212,12 @@ _dl_dst_count (const char *name, int is_path)
+ {
+ size_t len;
+
+- /* $ORIGIN is not expanded for SUID/GUID programs (except if it
+- is $ORIGIN alone) and it must always appear first in path. */
++ /* $ORIGIN is not expanded for SUID/GUID programs. */
+ ++name;
+- if ((len = is_dst (start, name, "ORIGIN", is_path,
+- INTUSE(__libc_enable_secure))) != 0
+- || (len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0
+- || (len = is_dst (start, name, "LIB", is_path, 0)) != 0)
++ if (((len = is_dst (start, name, "ORIGIN", is_path)) != 0
++ && !INTUSE(__libc_enable_secure))
++ || (len = is_dst (start, name, "PLATFORM", is_path)) != 0
++ || (len = is_dst (start, name, "LIB", is_path)) != 0)
+ ++cnt;
+
+ name = strchr (name + len, '$');
+@@ -256,9 +249,12 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result,
+ size_t len;
+
+ ++name;
+- if ((len = is_dst (start, name, "ORIGIN", is_path,
+- INTUSE(__libc_enable_secure))) != 0)
++ if ((len = is_dst (start, name, "ORIGIN", is_path)) != 0)
+ {
++ /* Ignore this path element in SUID/SGID programs. */
++ if (INTUSE(__libc_enable_secure))
++ repl = (const char *) -1;
++ else
+ #ifndef SHARED
+ if (l == NULL)
+ repl = _dl_get_origin ();
+@@ -266,9 +262,9 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result,
+ #endif
+ repl = l->l_origin;
+ }
+- else if ((len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0)
++ else if ((len = is_dst (start, name, "PLATFORM", is_path)) != 0)
+ repl = GLRO(dl_platform);
+- else if ((len = is_dst (start, name, "LIB", is_path, 0)) != 0)
++ else if ((len = is_dst (start, name, "LIB", is_path)) != 0)
+ repl = DL_DST_LIB;
+
+ if (repl != NULL && repl != (const char *) -1)
+--
+1.7.2.3
+
+
+--
+Andreas Schwab, schwab@redhat.com
+GPG Key fingerprint = D4E8 DBE3 3813 BB5D FA84 5EC7 45C6 250E 6F00 984E
+"And now for something completely different."
+
diff --git a/glibc/CVE-2010-3856.patch b/glibc/CVE-2010-3856.patch
new file mode 100644
index 0000000..0a621c9
--- /dev/null
+++ b/glibc/CVE-2010-3856.patch
@@ -0,0 +1,227 @@
+# http://seclists.org/fulldisclosure/2010/Oct/344
+# http://sourceware.org/ml/libc-hacker/2010-10/msg00010.html
+
+2010-10-22 Andreas Schwab <schwab@redhat.com>
+
+ * include/dlfcn.h (__RTLD_SECURE): Define.
+ * elf/dl-load.c (_dl_map_object): Remove preloaded parameter. Use
+ mode & __RTLD_SECURE instead.
+ (open_path): Rename preloaded parameter to secure.
+ * sysdeps/generic/ldsodefs.h (_dl_map_object): Adjust declaration.
+ * elf/dl-open.c (dl_open_worker): Adjust call to _dl_map_object.
+ * elf/dl-deps.c (openaux): Likewise.
+ * elf/rtld.c (struct map_args): Remove is_preloaded.
+ (map_doit): Don't use it.
+ (dl_main): Likewise.
+ (do_preload): Use __RTLD_SECURE instead of is_preloaded.
+ (dlmopen_doit): Add __RTLD_SECURE to mode bits.
+---
+ elf/dl-deps.c | 2 +-
+ elf/dl-load.c | 20 +++++++++++---------
+ elf/dl-open.c | 2 +-
+ elf/rtld.c | 16 +++++++---------
+ include/dlfcn.h | 1 +
+ sysdeps/generic/ldsodefs.h | 6 ++----
+ 6 files changed, 23 insertions(+), 24 deletions(-)
+
+diff --git a/elf/dl-deps.c b/elf/dl-deps.c
+index e5b9cdf..1cab2d1 100644
+--- a/elf/dl-deps.c
++++ b/elf/dl-deps.c
+@@ -62,7 +62,7 @@ openaux (void *a)
+ {
+ struct openaux_args *args = (struct openaux_args *) a;
+
+- args->aux = _dl_map_object (args->map, args->name, 0,
++ args->aux = _dl_map_object (args->map, args->name,
+ (args->map->l_type == lt_executable
+ ? lt_library : args->map->l_type),
+ args->trace_mode, args->open_mode,
+diff --git a/elf/dl-load.c b/elf/dl-load.c
+index 776f7e4..9ab3520 100644
+--- a/elf/dl-load.c
++++ b/elf/dl-load.c
+@@ -1808,7 +1808,7 @@ open_verify (const char *name, struct filebuf *fbp, struct link_map *loader,
+ if MAY_FREE_DIRS is true. */
+
+ static int
+-open_path (const char *name, size_t namelen, int preloaded,
++open_path (const char *name, size_t namelen, int secure,
+ struct r_search_path_struct *sps, char **realname,
+ struct filebuf *fbp, struct link_map *loader, int whatcode,
+ bool *found_other_class)
+@@ -1890,7 +1890,7 @@ open_path (const char *name, size_t namelen, int preloaded,
+ /* Remember whether we found any existing directory. */
+ here_any |= this_dir->status[cnt] != nonexisting;
+
+- if (fd != -1 && __builtin_expect (preloaded, 0)
++ if (fd != -1 && __builtin_expect (secure, 0)
+ && INTUSE(__libc_enable_secure))
+ {
+ /* This is an extra security effort to make sure nobody can
+@@ -1959,7 +1959,7 @@ open_path (const char *name, size_t namelen, int preloaded,
+
+ struct link_map *
+ internal_function
+-_dl_map_object (struct link_map *loader, const char *name, int preloaded,
++_dl_map_object (struct link_map *loader, const char *name,
+ int type, int trace_mode, int mode, Lmid_t nsid)
+ {
+ int fd;
+@@ -2063,7 +2063,8 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded,
+ for (l = loader; l; l = l->l_loader)
+ if (cache_rpath (l, &l->l_rpath_dirs, DT_RPATH, "RPATH"))
+ {
+- fd = open_path (name, namelen, preloaded, &l->l_rpath_dirs,
++ fd = open_path (name, namelen, mode & __RTLD_SECURE,
++ &l->l_rpath_dirs,
+ &realname, &fb, loader, LA_SER_RUNPATH,
+ &found_other_class);
+ if (fd != -1)
+@@ -2078,14 +2079,15 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded,
+ && main_map != NULL && main_map->l_type != lt_loaded
+ && cache_rpath (main_map, &main_map->l_rpath_dirs, DT_RPATH,
+ "RPATH"))
+- fd = open_path (name, namelen, preloaded, &main_map->l_rpath_dirs,
++ fd = open_path (name, namelen, mode & __RTLD_SECURE,
++ &main_map->l_rpath_dirs,
+ &realname, &fb, loader ?: main_map, LA_SER_RUNPATH,
+ &found_other_class);
+ }
+
+ /* Try the LD_LIBRARY_PATH environment variable. */
+ if (fd == -1 && env_path_list.dirs != (void *) -1)
+- fd = open_path (name, namelen, preloaded, &env_path_list,
++ fd = open_path (name, namelen, mode & __RTLD_SECURE, &env_path_list,
+ &realname, &fb,
+ loader ?: GL(dl_ns)[LM_ID_BASE]._ns_loaded,
+ LA_SER_LIBPATH, &found_other_class);
+@@ -2094,12 +2096,12 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded,
+ if (fd == -1 && loader != NULL
+ && cache_rpath (loader, &loader->l_runpath_dirs,
+ DT_RUNPATH, "RUNPATH"))
+- fd = open_path (name, namelen, preloaded,
++ fd = open_path (name, namelen, mode & __RTLD_SECURE,
+ &loader->l_runpath_dirs, &realname, &fb, loader,
+ LA_SER_RUNPATH, &found_other_class);
+
+ if (fd == -1
+- && (__builtin_expect (! preloaded, 1)
++ && (__builtin_expect (! (mode & __RTLD_SECURE), 1)
+ || ! INTUSE(__libc_enable_secure)))
+ {
+ /* Check the list of libraries in the file /etc/ld.so.cache,
+@@ -2165,7 +2167,7 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded,
+ && ((l = loader ?: GL(dl_ns)[nsid]._ns_loaded) == NULL
+ || __builtin_expect (!(l->l_flags_1 & DF_1_NODEFLIB), 1))
+ && rtld_search_dirs.dirs != (void *) -1)
+- fd = open_path (name, namelen, preloaded, &rtld_search_dirs,
++ fd = open_path (name, namelen, mode & __RTLD_SECURE, &rtld_search_dirs,
+ &realname, &fb, l, LA_SER_DEFAULT, &found_other_class);
+
+ /* Add another newline when we are tracing the library loading. */
+diff --git a/elf/dl-open.c b/elf/dl-open.c
+index c394b3f..cf8e8cc 100644
+--- a/elf/dl-open.c
++++ b/elf/dl-open.c
+@@ -223,7 +223,7 @@ dl_open_worker (void *a)
+
+ /* Load the named object. */
+ struct link_map *new;
+- args->map = new = _dl_map_object (call_map, file, 0, lt_loaded, 0,
++ args->map = new = _dl_map_object (call_map, file, lt_loaded, 0,
+ mode | __RTLD_CALLMAP, args->nsid);
+
+ /* If the pointer returned is NULL this means the RTLD_NOLOAD flag is
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 201c9cf..4a8cee8 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -587,7 +587,6 @@ struct map_args
+ /* Argument to map_doit. */
+ char *str;
+ struct link_map *loader;
+- int is_preloaded;
+ int mode;
+ /* Return value of map_doit. */
+ struct link_map *map;
+@@ -625,16 +624,17 @@ static void
+ map_doit (void *a)
+ {
+ struct map_args *args = (struct map_args *) a;
+- args->map = _dl_map_object (args->loader, args->str,
+- args->is_preloaded, lt_library, 0, args->mode,
+- LM_ID_BASE);
++ args->map = _dl_map_object (args->loader, args->str, lt_library, 0,
++ args->mode, LM_ID_BASE);
+ }
+
+ static void
+ dlmopen_doit (void *a)
+ {
+ struct dlmopen_args *args = (struct dlmopen_args *) a;
+- args->map = _dl_open (args->fname, RTLD_LAZY | __RTLD_DLOPEN | __RTLD_AUDIT,
++ args->map = _dl_open (args->fname,
++ (RTLD_LAZY | __RTLD_DLOPEN | __RTLD_AUDIT
++ | __RTLD_SECURE),
+ dl_main, LM_ID_NEWLM, _dl_argc, INTUSE(_dl_argv),
+ __environ);
+ }
+@@ -804,8 +804,7 @@ do_preload (char *fname, struct link_map *main_map, const char *where)
+
+ args.str = fname;
+ args.loader = main_map;
+- args.is_preloaded = 1;
+- args.mode = 0;
++ args.mode = __RTLD_SECURE;
+
+ unsigned int old_nloaded = GL(dl_ns)[LM_ID_BASE]._ns_nloaded;
+
+@@ -1050,7 +1049,6 @@ of this helper program; chances are you did not intend to run this program.\n\
+
+ args.str = rtld_progname;
+ args.loader = NULL;
+- args.is_preloaded = 0;
+ args.mode = __RTLD_OPENEXEC;
+ (void) _dl_catch_error (&objname, &err_str, &malloced, map_doit,
+ &args);
+@@ -1062,7 +1060,7 @@ of this helper program; chances are you did not intend to run this program.\n\
+ else
+ {
+ HP_TIMING_NOW (start);
+- _dl_map_object (NULL, rtld_progname, 0, lt_library, 0,
++ _dl_map_object (NULL, rtld_progname, lt_library, 0,
+ __RTLD_OPENEXEC, LM_ID_BASE);
+ HP_TIMING_NOW (stop);
+
+diff --git a/include/dlfcn.h b/include/dlfcn.h
+index a67426d..af92483 100644
+--- a/include/dlfcn.h
++++ b/include/dlfcn.h
+@@ -9,6 +9,7 @@
+ #define __RTLD_OPENEXEC 0x20000000
+ #define __RTLD_CALLMAP 0x10000000
+ #define __RTLD_AUDIT 0x08000000
++#define __RTLD_SECURE 0x04000000 /* Apply additional security checks. */
+
+ #define __LM_ID_CALLER -2
+
+diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
+index fcc943b..fa4b6b2 100644
+--- a/sysdeps/generic/ldsodefs.h
++++ b/sysdeps/generic/ldsodefs.h
+@@ -824,11 +824,9 @@ extern void _dl_receive_error (receiver_fct fct, void (*operate) (void *),
+
+ /* Open the shared object NAME and map in its segments.
+ LOADER's DT_RPATH is used in searching for NAME.
+- If the object is already opened, returns its existing map.
+- For preloaded shared objects PRELOADED is set to a non-zero
+- value to allow additional security checks. */
++ If the object is already opened, returns its existing map. */
+ extern struct link_map *_dl_map_object (struct link_map *loader,
+- const char *name, int preloaded,
++ const char *name,
+ int type, int trace_mode, int mode,
+ Lmid_t nsid)
+ internal_function attribute_hidden;
+
diff --git a/glibc/Pkgfile b/glibc/Pkgfile
index 9d1786b..15dd157 100644
--- a/glibc/Pkgfile
+++ b/glibc/Pkgfile
@@ -4,10 +4,11 @@
name=glibc
version=2.10.1
-release=2
+release=3
source=(http://ftp.gnu.org/gnu/glibc/glibc-$version.tar.bz2
http://ftp.gnu.org/gnu/glibc/glibc-libidn-$version.tar.bz2
http://crux.nu/files/distfiles/kernel-headers-2.6.29-1.tar.bz2
+ CVE-2010-3847.patch CVE-2010-3856.patch
hosts resolv.conf nsswitch.conf host.conf ld.so.conf)
build() {
@@ -19,6 +20,9 @@ build() {
# libidn files
mv $name-libidn-$version $name-$version/libidn
+ patch -p1 -d $name-$version -i $SRC/CVE-2010-3847.patch
+ patch -p1 -d $name-$version -i $SRC/CVE-2010-3856.patch
+
mkdir build
cd build
../$name-$version/configure --prefix=/usr \
_______________________________________________
CRUX mailing list
CRUX@lists.crux.nu
http://lists.crux.nu/mailman/listinfo/crux
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic