diff options
author | Juergen Daubert <jue@jue.li> | 2010-10-26 14:57:52 +0200 |
---|---|---|
committer | Juergen Daubert <jue@jue.li> | 2010-10-26 14:57:52 +0200 |
commit | f6826a058ad0548a4046f8193fc28aa2329b78b1 (patch) | |
tree | d61feb4757c698e65b40c0012ff2c383c03bef8a | |
parent | f735b62fd55d1eb1b0c6f8cb361b3b6736ecc913 (diff) | |
download | core-2.6.tar.gz core-2.6.tar.xz |
[notify] glibc: security fix for CVE-2010-3847 and CVE-2010-38562.6
Important security fix, a local attacker could exploit this to
gain root privileges.
See
- http://seclists.org/fulldisclosure/2010/Oct/257
- http://seclists.org/fulldisclosure/2010/Oct/344
-rw-r--r-- | glibc/.md5sum | 2 | ||||
-rw-r--r-- | glibc/CVE-2010-3847.patch | 98 | ||||
-rw-r--r-- | glibc/CVE-2010-3856.patch | 227 | ||||
-rw-r--r-- | glibc/Pkgfile | 6 |
4 files changed, 332 insertions, 1 deletions
diff --git a/glibc/.md5sum b/glibc/.md5sum index abf400b5..7422bc97 100644 --- a/glibc/.md5sum +++ b/glibc/.md5sum @@ -1,3 +1,5 @@ +733615b9c7f778639725ca40dbb781c6 CVE-2010-3847.patch +e64fc10ef089b48de254b5322b54cd42 CVE-2010-3856.patch ee71dedf724dc775e4efec9b823ed3be glibc-2.10.1.tar.bz2 8ef88560ec608d5923ee05eb5f0e15ea glibc-libidn-2.10.1.tar.bz2 96156bec8e05de67384dc93e72bdc313 host.conf diff --git a/glibc/CVE-2010-3847.patch b/glibc/CVE-2010-3847.patch new file mode 100644 index 00000000..3b2bd1c8 --- /dev/null +++ b/glibc/CVE-2010-3847.patch @@ -0,0 +1,98 @@ +# http://seclists.org/fulldisclosure/2010/Oct/257 +# http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html + +Path elements containing $ORIGIN should always be ignored in privileged +programs. + +Andreas. + +2010-10-18 Andreas Schwab <schwab@redhat.com> + + * elf/dl-load.c (is_dst): Remove last parameter. + (_dl_dst_count): Ignore $ORIGIN in privileged programs. + (_dl_dst_substitute): Likewise. +--- + elf/dl-load.c | 30 +++++++++++++----------------- + 1 files changed, 13 insertions(+), 17 deletions(-) + +diff --git a/elf/dl-load.c b/elf/dl-load.c +index a7162eb..776f7e4 100644 +--- a/elf/dl-load.c ++++ b/elf/dl-load.c +@@ -169,8 +169,7 @@ local_strdup (const char *s) + + + static size_t +-is_dst (const char *start, const char *name, const char *str, +- int is_path, int secure) ++is_dst (const char *start, const char *name, const char *str, int is_path) + { + size_t len; + bool is_curly = false; +@@ -199,11 +198,6 @@ is_dst (const char *start, const char *name, const char *str, + && (!is_path || name[len] != ':')) + return 0; + +- if (__builtin_expect (secure, 0) +- && ((name[len] != '\0' && (!is_path || name[len] != ':')) +- || (name != start + 1 && (!is_path || name[-2] != ':')))) +- return 0; +- + return len; + } + +@@ -218,13 +212,12 @@ _dl_dst_count (const char *name, int is_path) + { + size_t len; + +- /* $ORIGIN is not expanded for SUID/GUID programs (except if it +- is $ORIGIN alone) and it must always appear first in path. */ ++ /* $ORIGIN is not expanded for SUID/GUID programs. */ + ++name; +- if ((len = is_dst (start, name, "ORIGIN", is_path, +- INTUSE(__libc_enable_secure))) != 0 +- || (len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0 +- || (len = is_dst (start, name, "LIB", is_path, 0)) != 0) ++ if (((len = is_dst (start, name, "ORIGIN", is_path)) != 0 ++ && !INTUSE(__libc_enable_secure)) ++ || (len = is_dst (start, name, "PLATFORM", is_path)) != 0 ++ || (len = is_dst (start, name, "LIB", is_path)) != 0) + ++cnt; + + name = strchr (name + len, '$'); +@@ -256,9 +249,12 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result, + size_t len; + + ++name; +- if ((len = is_dst (start, name, "ORIGIN", is_path, +- INTUSE(__libc_enable_secure))) != 0) ++ if ((len = is_dst (start, name, "ORIGIN", is_path)) != 0) + { ++ /* Ignore this path element in SUID/SGID programs. */ ++ if (INTUSE(__libc_enable_secure)) ++ repl = (const char *) -1; ++ else + #ifndef SHARED + if (l == NULL) + repl = _dl_get_origin (); +@@ -266,9 +262,9 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result, + #endif + repl = l->l_origin; + } +- else if ((len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0) ++ else if ((len = is_dst (start, name, "PLATFORM", is_path)) != 0) + repl = GLRO(dl_platform); +- else if ((len = is_dst (start, name, "LIB", is_path, 0)) != 0) ++ else if ((len = is_dst (start, name, "LIB", is_path)) != 0) + repl = DL_DST_LIB; + + if (repl != NULL && repl != (const char *) -1) +-- +1.7.2.3 + + +-- +Andreas Schwab, schwab@redhat.com +GPG Key fingerprint = D4E8 DBE3 3813 BB5D FA84 5EC7 45C6 250E 6F00 984E +"And now for something completely different." + diff --git a/glibc/CVE-2010-3856.patch b/glibc/CVE-2010-3856.patch new file mode 100644 index 00000000..0a621c94 --- /dev/null +++ b/glibc/CVE-2010-3856.patch @@ -0,0 +1,227 @@ +# http://seclists.org/fulldisclosure/2010/Oct/344 +# http://sourceware.org/ml/libc-hacker/2010-10/msg00010.html + +2010-10-22 Andreas Schwab <schwab@redhat.com> + + * include/dlfcn.h (__RTLD_SECURE): Define. + * elf/dl-load.c (_dl_map_object): Remove preloaded parameter. Use + mode & __RTLD_SECURE instead. + (open_path): Rename preloaded parameter to secure. + * sysdeps/generic/ldsodefs.h (_dl_map_object): Adjust declaration. + * elf/dl-open.c (dl_open_worker): Adjust call to _dl_map_object. + * elf/dl-deps.c (openaux): Likewise. + * elf/rtld.c (struct map_args): Remove is_preloaded. + (map_doit): Don't use it. + (dl_main): Likewise. + (do_preload): Use __RTLD_SECURE instead of is_preloaded. + (dlmopen_doit): Add __RTLD_SECURE to mode bits. +--- + elf/dl-deps.c | 2 +- + elf/dl-load.c | 20 +++++++++++--------- + elf/dl-open.c | 2 +- + elf/rtld.c | 16 +++++++--------- + include/dlfcn.h | 1 + + sysdeps/generic/ldsodefs.h | 6 ++---- + 6 files changed, 23 insertions(+), 24 deletions(-) + +diff --git a/elf/dl-deps.c b/elf/dl-deps.c +index e5b9cdf..1cab2d1 100644 +--- a/elf/dl-deps.c ++++ b/elf/dl-deps.c +@@ -62,7 +62,7 @@ openaux (void *a) + { + struct openaux_args *args = (struct openaux_args *) a; + +- args->aux = _dl_map_object (args->map, args->name, 0, ++ args->aux = _dl_map_object (args->map, args->name, + (args->map->l_type == lt_executable + ? lt_library : args->map->l_type), + args->trace_mode, args->open_mode, +diff --git a/elf/dl-load.c b/elf/dl-load.c +index 776f7e4..9ab3520 100644 +--- a/elf/dl-load.c ++++ b/elf/dl-load.c +@@ -1808,7 +1808,7 @@ open_verify (const char *name, struct filebuf *fbp, struct link_map *loader, + if MAY_FREE_DIRS is true. */ + + static int +-open_path (const char *name, size_t namelen, int preloaded, ++open_path (const char *name, size_t namelen, int secure, + struct r_search_path_struct *sps, char **realname, + struct filebuf *fbp, struct link_map *loader, int whatcode, + bool *found_other_class) +@@ -1890,7 +1890,7 @@ open_path (const char *name, size_t namelen, int preloaded, + /* Remember whether we found any existing directory. */ + here_any |= this_dir->status[cnt] != nonexisting; + +- if (fd != -1 && __builtin_expect (preloaded, 0) ++ if (fd != -1 && __builtin_expect (secure, 0) + && INTUSE(__libc_enable_secure)) + { + /* This is an extra security effort to make sure nobody can +@@ -1959,7 +1959,7 @@ open_path (const char *name, size_t namelen, int preloaded, + + struct link_map * + internal_function +-_dl_map_object (struct link_map *loader, const char *name, int preloaded, ++_dl_map_object (struct link_map *loader, const char *name, + int type, int trace_mode, int mode, Lmid_t nsid) + { + int fd; +@@ -2063,7 +2063,8 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded, + for (l = loader; l; l = l->l_loader) + if (cache_rpath (l, &l->l_rpath_dirs, DT_RPATH, "RPATH")) + { +- fd = open_path (name, namelen, preloaded, &l->l_rpath_dirs, ++ fd = open_path (name, namelen, mode & __RTLD_SECURE, ++ &l->l_rpath_dirs, + &realname, &fb, loader, LA_SER_RUNPATH, + &found_other_class); + if (fd != -1) +@@ -2078,14 +2079,15 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded, + && main_map != NULL && main_map->l_type != lt_loaded + && cache_rpath (main_map, &main_map->l_rpath_dirs, DT_RPATH, + "RPATH")) +- fd = open_path (name, namelen, preloaded, &main_map->l_rpath_dirs, ++ fd = open_path (name, namelen, mode & __RTLD_SECURE, ++ &main_map->l_rpath_dirs, + &realname, &fb, loader ?: main_map, LA_SER_RUNPATH, + &found_other_class); + } + + /* Try the LD_LIBRARY_PATH environment variable. */ + if (fd == -1 && env_path_list.dirs != (void *) -1) +- fd = open_path (name, namelen, preloaded, &env_path_list, ++ fd = open_path (name, namelen, mode & __RTLD_SECURE, &env_path_list, + &realname, &fb, + loader ?: GL(dl_ns)[LM_ID_BASE]._ns_loaded, + LA_SER_LIBPATH, &found_other_class); +@@ -2094,12 +2096,12 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded, + if (fd == -1 && loader != NULL + && cache_rpath (loader, &loader->l_runpath_dirs, + DT_RUNPATH, "RUNPATH")) +- fd = open_path (name, namelen, preloaded, ++ fd = open_path (name, namelen, mode & __RTLD_SECURE, + &loader->l_runpath_dirs, &realname, &fb, loader, + LA_SER_RUNPATH, &found_other_class); + + if (fd == -1 +- && (__builtin_expect (! preloaded, 1) ++ && (__builtin_expect (! (mode & __RTLD_SECURE), 1) + || ! INTUSE(__libc_enable_secure))) + { + /* Check the list of libraries in the file /etc/ld.so.cache, +@@ -2165,7 +2167,7 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded, + && ((l = loader ?: GL(dl_ns)[nsid]._ns_loaded) == NULL + || __builtin_expect (!(l->l_flags_1 & DF_1_NODEFLIB), 1)) + && rtld_search_dirs.dirs != (void *) -1) +- fd = open_path (name, namelen, preloaded, &rtld_search_dirs, ++ fd = open_path (name, namelen, mode & __RTLD_SECURE, &rtld_search_dirs, + &realname, &fb, l, LA_SER_DEFAULT, &found_other_class); + + /* Add another newline when we are tracing the library loading. */ +diff --git a/elf/dl-open.c b/elf/dl-open.c +index c394b3f..cf8e8cc 100644 +--- a/elf/dl-open.c ++++ b/elf/dl-open.c +@@ -223,7 +223,7 @@ dl_open_worker (void *a) + + /* Load the named object. */ + struct link_map *new; +- args->map = new = _dl_map_object (call_map, file, 0, lt_loaded, 0, ++ args->map = new = _dl_map_object (call_map, file, lt_loaded, 0, + mode | __RTLD_CALLMAP, args->nsid); + + /* If the pointer returned is NULL this means the RTLD_NOLOAD flag is +diff --git a/elf/rtld.c b/elf/rtld.c +index 201c9cf..4a8cee8 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -587,7 +587,6 @@ struct map_args + /* Argument to map_doit. */ + char *str; + struct link_map *loader; +- int is_preloaded; + int mode; + /* Return value of map_doit. */ + struct link_map *map; +@@ -625,16 +624,17 @@ static void + map_doit (void *a) + { + struct map_args *args = (struct map_args *) a; +- args->map = _dl_map_object (args->loader, args->str, +- args->is_preloaded, lt_library, 0, args->mode, +- LM_ID_BASE); ++ args->map = _dl_map_object (args->loader, args->str, lt_library, 0, ++ args->mode, LM_ID_BASE); + } + + static void + dlmopen_doit (void *a) + { + struct dlmopen_args *args = (struct dlmopen_args *) a; +- args->map = _dl_open (args->fname, RTLD_LAZY | __RTLD_DLOPEN | __RTLD_AUDIT, ++ args->map = _dl_open (args->fname, ++ (RTLD_LAZY | __RTLD_DLOPEN | __RTLD_AUDIT ++ | __RTLD_SECURE), + dl_main, LM_ID_NEWLM, _dl_argc, INTUSE(_dl_argv), + __environ); + } +@@ -804,8 +804,7 @@ do_preload (char *fname, struct link_map *main_map, const char *where) + + args.str = fname; + args.loader = main_map; +- args.is_preloaded = 1; +- args.mode = 0; ++ args.mode = __RTLD_SECURE; + + unsigned int old_nloaded = GL(dl_ns)[LM_ID_BASE]._ns_nloaded; + +@@ -1050,7 +1049,6 @@ of this helper program; chances are you did not intend to run this program.\n\ + + args.str = rtld_progname; + args.loader = NULL; +- args.is_preloaded = 0; + args.mode = __RTLD_OPENEXEC; + (void) _dl_catch_error (&objname, &err_str, &malloced, map_doit, + &args); +@@ -1062,7 +1060,7 @@ of this helper program; chances are you did not intend to run this program.\n\ + else + { + HP_TIMING_NOW (start); +- _dl_map_object (NULL, rtld_progname, 0, lt_library, 0, ++ _dl_map_object (NULL, rtld_progname, lt_library, 0, + __RTLD_OPENEXEC, LM_ID_BASE); + HP_TIMING_NOW (stop); + +diff --git a/include/dlfcn.h b/include/dlfcn.h +index a67426d..af92483 100644 +--- a/include/dlfcn.h ++++ b/include/dlfcn.h +@@ -9,6 +9,7 @@ + #define __RTLD_OPENEXEC 0x20000000 + #define __RTLD_CALLMAP 0x10000000 + #define __RTLD_AUDIT 0x08000000 ++#define __RTLD_SECURE 0x04000000 /* Apply additional security checks. */ + + #define __LM_ID_CALLER -2 + +diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h +index fcc943b..fa4b6b2 100644 +--- a/sysdeps/generic/ldsodefs.h ++++ b/sysdeps/generic/ldsodefs.h +@@ -824,11 +824,9 @@ extern void _dl_receive_error (receiver_fct fct, void (*operate) (void *), + + /* Open the shared object NAME and map in its segments. + LOADER's DT_RPATH is used in searching for NAME. +- If the object is already opened, returns its existing map. +- For preloaded shared objects PRELOADED is set to a non-zero +- value to allow additional security checks. */ ++ If the object is already opened, returns its existing map. */ + extern struct link_map *_dl_map_object (struct link_map *loader, +- const char *name, int preloaded, ++ const char *name, + int type, int trace_mode, int mode, + Lmid_t nsid) + internal_function attribute_hidden; + diff --git a/glibc/Pkgfile b/glibc/Pkgfile index 9d1786b3..15dd1572 100644 --- a/glibc/Pkgfile +++ b/glibc/Pkgfile @@ -4,10 +4,11 @@ name=glibc version=2.10.1 -release=2 +release=3 source=(http://ftp.gnu.org/gnu/glibc/glibc-$version.tar.bz2 http://ftp.gnu.org/gnu/glibc/glibc-libidn-$version.tar.bz2 http://crux.nu/files/distfiles/kernel-headers-2.6.29-1.tar.bz2 + CVE-2010-3847.patch CVE-2010-3856.patch hosts resolv.conf nsswitch.conf host.conf ld.so.conf) build() { @@ -19,6 +20,9 @@ build() { # libidn files mv $name-libidn-$version $name-$version/libidn + patch -p1 -d $name-$version -i $SRC/CVE-2010-3847.patch + patch -p1 -d $name-$version -i $SRC/CVE-2010-3856.patch + mkdir build cd build ../$name-$version/configure --prefix=/usr \ |