[notify] glibc: security fix for CVE-2010-3847 and CVE-2010-38562.6

Important security fix, a local attacker could exploit this to
gain root privileges.

See
- http://seclists.org/fulldisclosure/2010/Oct/257
- http://seclists.org/fulldisclosure/2010/Oct/344

4 files changed, 332 insertions, 1 deletions

diff --git a/glibc/.md5sum b/glibc/.md5sum
index abf400b5..7422bc97 100644
--- a/glibc/.md5sum
+++ b/glibc/.md5sum
@@ -1,3 +1,5 @@
+733615b9c7f778639725ca40dbb781c6  CVE-2010-3847.patch
+e64fc10ef089b48de254b5322b54cd42  CVE-2010-3856.patch
 ee71dedf724dc775e4efec9b823ed3be  glibc-2.10.1.tar.bz2
 8ef88560ec608d5923ee05eb5f0e15ea  glibc-libidn-2.10.1.tar.bz2
 96156bec8e05de67384dc93e72bdc313  host.conf
diff --git a/glibc/CVE-2010-3847.patch b/glibc/CVE-2010-3847.patch
new file mode 100644
index 00000000..3b2bd1c8
--- /dev/null
+++ b/glibc/CVE-2010-3847.patch
@@ -0,0 +1,98 @@
+# http://seclists.org/fulldisclosure/2010/Oct/257
+# http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html
+
+Path elements containing $ORIGIN should always be ignored in privileged
+programs.
+
+Andreas.
+
+2010-10-18  Andreas Schwab  <schwab@redhat.com>
+
+	* elf/dl-load.c (is_dst): Remove last parameter.
+	(_dl_dst_count): Ignore $ORIGIN in privileged programs.
+	(_dl_dst_substitute): Likewise.
+---
+ elf/dl-load.c |   30 +++++++++++++-----------------
+ 1 files changed, 13 insertions(+), 17 deletions(-)
+
+diff --git a/elf/dl-load.c b/elf/dl-load.c
+index a7162eb..776f7e4 100644
+--- a/elf/dl-load.c
++++ b/elf/dl-load.c
+@@ -169,8 +169,7 @@ local_strdup (const char *s)
+ 
+ 
+ static size_t
+-is_dst (const char *start, const char *name, const char *str,
+-	int is_path, int secure)
++is_dst (const char *start, const char *name, const char *str, int is_path)
+ {
+   size_t len;
+   bool is_curly = false;
+@@ -199,11 +198,6 @@ is_dst (const char *start, const char *name, const char *str,
+ 	   && (!is_path || name[len] != ':'))
+     return 0;
+ 
+-  if (__builtin_expect (secure, 0)
+-      && ((name[len] != '\0' && (!is_path || name[len] != ':'))
+-	  || (name != start + 1 && (!is_path || name[-2] != ':'))))
+-    return 0;
+-
+   return len;
+ }
+ 
+@@ -218,13 +212,12 @@ _dl_dst_count (const char *name, int is_path)
+     {
+       size_t len;
+ 
+-      /* $ORIGIN is not expanded for SUID/GUID programs (except if it
+-	 is $ORIGIN alone) and it must always appear first in path.  */
++      /* $ORIGIN is not expanded for SUID/GUID programs.  */
+       ++name;
+-      if ((len = is_dst (start, name, "ORIGIN", is_path,
+-			 INTUSE(__libc_enable_secure))) != 0
+-	  || (len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0
+-	  || (len = is_dst (start, name, "LIB", is_path, 0)) != 0)
++      if (((len = is_dst (start, name, "ORIGIN", is_path)) != 0
++	   && !INTUSE(__libc_enable_secure))
++	  || (len = is_dst (start, name, "PLATFORM", is_path)) != 0
++	  || (len = is_dst (start, name, "LIB", is_path)) != 0)
+ 	++cnt;
+ 
+       name = strchr (name + len, '$');
+@@ -256,9 +249,12 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result,
+ 	  size_t len;
+ 
+ 	  ++name;
+-	  if ((len = is_dst (start, name, "ORIGIN", is_path,
+-			     INTUSE(__libc_enable_secure))) != 0)
++	  if ((len = is_dst (start, name, "ORIGIN", is_path)) != 0)
+ 	    {
++	      /* Ignore this path element in SUID/SGID programs.  */
++	      if (INTUSE(__libc_enable_secure))
++		repl = (const char *) -1;
++	      else
+ #ifndef SHARED
+ 	      if (l == NULL)
+ 		repl = _dl_get_origin ();
+@@ -266,9 +262,9 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result,
+ #endif
+ 		repl = l->l_origin;
+ 	    }
+-	  else if ((len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0)
++	  else if ((len = is_dst (start, name, "PLATFORM", is_path)) != 0)
+ 	    repl = GLRO(dl_platform);
+-	  else if ((len = is_dst (start, name, "LIB", is_path, 0)) != 0)
++	  else if ((len = is_dst (start, name, "LIB", is_path)) != 0)
+ 	    repl = DL_DST_LIB;
+ 
+ 	  if (repl != NULL && repl != (const char *) -1)
+-- 
+1.7.2.3
+
+
+-- 
+Andreas Schwab, schwab@redhat.com
+GPG Key fingerprint = D4E8 DBE3 3813 BB5D FA84  5EC7 45C6 250E 6F00 984E
+"And now for something completely different."
+
diff --git a/glibc/CVE-2010-3856.patch b/glibc/CVE-2010-3856.patch
new file mode 100644
index 00000000..0a621c94
--- /dev/null
+++ b/glibc/CVE-2010-3856.patch
@@ -0,0 +1,227 @@
+# http://seclists.org/fulldisclosure/2010/Oct/344
+# http://sourceware.org/ml/libc-hacker/2010-10/msg00010.html
+
+2010-10-22  Andreas Schwab  <schwab@redhat.com>
+
+	* include/dlfcn.h (__RTLD_SECURE): Define.
+	* elf/dl-load.c (_dl_map_object): Remove preloaded parameter.  Use
+	mode & __RTLD_SECURE instead.
+	(open_path): Rename preloaded parameter to secure.
+	* sysdeps/generic/ldsodefs.h (_dl_map_object): Adjust declaration.
+	* elf/dl-open.c (dl_open_worker): Adjust call to _dl_map_object.
+	* elf/dl-deps.c (openaux): Likewise.
+	* elf/rtld.c (struct map_args): Remove is_preloaded.
+	(map_doit): Don't use it.
+	(dl_main): Likewise.
+	(do_preload): Use __RTLD_SECURE instead of is_preloaded.
+	(dlmopen_doit): Add __RTLD_SECURE to mode bits.
+---
+ elf/dl-deps.c              |    2 +-
+ elf/dl-load.c              |   20 +++++++++++---------
+ elf/dl-open.c              |    2 +-
+ elf/rtld.c                 |   16 +++++++---------
+ include/dlfcn.h            |    1 +
+ sysdeps/generic/ldsodefs.h |    6 ++----
+ 6 files changed, 23 insertions(+), 24 deletions(-)
+
+diff --git a/elf/dl-deps.c b/elf/dl-deps.c
+index e5b9cdf..1cab2d1 100644
+--- a/elf/dl-deps.c
++++ b/elf/dl-deps.c
+@@ -62,7 +62,7 @@ openaux (void *a)
+ {
+   struct openaux_args *args = (struct openaux_args *) a;
+ 
+-  args->aux = _dl_map_object (args->map, args->name, 0,
++  args->aux = _dl_map_object (args->map, args->name,
+ 			      (args->map->l_type == lt_executable
+ 			       ? lt_library : args->map->l_type),
+ 			      args->trace_mode, args->open_mode,
+diff --git a/elf/dl-load.c b/elf/dl-load.c
+index 776f7e4..9ab3520 100644
+--- a/elf/dl-load.c
++++ b/elf/dl-load.c
+@@ -1808,7 +1808,7 @@ open_verify (const char *name, struct filebuf *fbp, struct link_map *loader,
+    if MAY_FREE_DIRS is true.  */
+ 
+ static int
+-open_path (const char *name, size_t namelen, int preloaded,
++open_path (const char *name, size_t namelen, int secure,
+ 	   struct r_search_path_struct *sps, char **realname,
+ 	   struct filebuf *fbp, struct link_map *loader, int whatcode,
+ 	   bool *found_other_class)
+@@ -1890,7 +1890,7 @@ open_path (const char *name, size_t namelen, int preloaded,
+ 	  /* Remember whether we found any existing directory.  */
+ 	  here_any |= this_dir->status[cnt] != nonexisting;
+ 
+-	  if (fd != -1 && __builtin_expect (preloaded, 0)
++	  if (fd != -1 && __builtin_expect (secure, 0)
+ 	      && INTUSE(__libc_enable_secure))
+ 	    {
+ 	      /* This is an extra security effort to make sure nobody can
+@@ -1959,7 +1959,7 @@ open_path (const char *name, size_t namelen, int preloaded,
+ 
+ struct link_map *
+ internal_function
+-_dl_map_object (struct link_map *loader, const char *name, int preloaded,
++_dl_map_object (struct link_map *loader, const char *name,
+ 		int type, int trace_mode, int mode, Lmid_t nsid)
+ {
+   int fd;
+@@ -2063,7 +2063,8 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded,
+ 	  for (l = loader; l; l = l->l_loader)
+ 	    if (cache_rpath (l, &l->l_rpath_dirs, DT_RPATH, "RPATH"))
+ 	      {
+-		fd = open_path (name, namelen, preloaded, &l->l_rpath_dirs,
++		fd = open_path (name, namelen, mode & __RTLD_SECURE,
++				&l->l_rpath_dirs,
+ 				&realname, &fb, loader, LA_SER_RUNPATH,
+ 				&found_other_class);
+ 		if (fd != -1)
+@@ -2078,14 +2079,15 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded,
+ 	      && main_map != NULL && main_map->l_type != lt_loaded
+ 	      && cache_rpath (main_map, &main_map->l_rpath_dirs, DT_RPATH,
+ 			      "RPATH"))
+-	    fd = open_path (name, namelen, preloaded, &main_map->l_rpath_dirs,
++	    fd = open_path (name, namelen, mode & __RTLD_SECURE,
++			    &main_map->l_rpath_dirs,
+ 			    &realname, &fb, loader ?: main_map, LA_SER_RUNPATH,
+ 			    &found_other_class);
+ 	}
+ 
+       /* Try the LD_LIBRARY_PATH environment variable.  */
+       if (fd == -1 && env_path_list.dirs != (void *) -1)
+-	fd = open_path (name, namelen, preloaded, &env_path_list,
++	fd = open_path (name, namelen, mode & __RTLD_SECURE, &env_path_list,
+ 			&realname, &fb,
+ 			loader ?: GL(dl_ns)[LM_ID_BASE]._ns_loaded,
+ 			LA_SER_LIBPATH, &found_other_class);
+@@ -2094,12 +2096,12 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded,
+       if (fd == -1 && loader != NULL
+ 	  && cache_rpath (loader, &loader->l_runpath_dirs,
+ 			  DT_RUNPATH, "RUNPATH"))
+-	fd = open_path (name, namelen, preloaded,
++	fd = open_path (name, namelen, mode & __RTLD_SECURE,
+ 			&loader->l_runpath_dirs, &realname, &fb, loader,
+ 			LA_SER_RUNPATH, &found_other_class);
+ 
+       if (fd == -1
+-	  && (__builtin_expect (! preloaded, 1)
++	  && (__builtin_expect (! (mode & __RTLD_SECURE), 1)
+ 	      || ! INTUSE(__libc_enable_secure)))
+ 	{
+ 	  /* Check the list of libraries in the file /etc/ld.so.cache,
+@@ -2165,7 +2167,7 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded,
+ 	  && ((l = loader ?: GL(dl_ns)[nsid]._ns_loaded) == NULL
+ 	      || __builtin_expect (!(l->l_flags_1 & DF_1_NODEFLIB), 1))
+ 	  && rtld_search_dirs.dirs != (void *) -1)
+-	fd = open_path (name, namelen, preloaded, &rtld_search_dirs,
++	fd = open_path (name, namelen, mode & __RTLD_SECURE, &rtld_search_dirs,
+ 			&realname, &fb, l, LA_SER_DEFAULT, &found_other_class);
+ 
+       /* Add another newline when we are tracing the library loading.  */
+diff --git a/elf/dl-open.c b/elf/dl-open.c
+index c394b3f..cf8e8cc 100644
+--- a/elf/dl-open.c
++++ b/elf/dl-open.c
+@@ -223,7 +223,7 @@ dl_open_worker (void *a)
+ 
+   /* Load the named object.  */
+   struct link_map *new;
+-  args->map = new = _dl_map_object (call_map, file, 0, lt_loaded, 0,
++  args->map = new = _dl_map_object (call_map, file, lt_loaded, 0,
+ 				    mode | __RTLD_CALLMAP, args->nsid);
+ 
+   /* If the pointer returned is NULL this means the RTLD_NOLOAD flag is
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 201c9cf..4a8cee8 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -587,7 +587,6 @@ struct map_args
+   /* Argument to map_doit.  */
+   char *str;
+   struct link_map *loader;
+-  int is_preloaded;
+   int mode;
+   /* Return value of map_doit.  */
+   struct link_map *map;
+@@ -625,16 +624,17 @@ static void
+ map_doit (void *a)
+ {
+   struct map_args *args = (struct map_args *) a;
+-  args->map = _dl_map_object (args->loader, args->str,
+-			      args->is_preloaded, lt_library, 0, args->mode,
+-			      LM_ID_BASE);
++  args->map = _dl_map_object (args->loader, args->str, lt_library, 0,
++			      args->mode, LM_ID_BASE);
+ }
+ 
+ static void
+ dlmopen_doit (void *a)
+ {
+   struct dlmopen_args *args = (struct dlmopen_args *) a;
+-  args->map = _dl_open (args->fname, RTLD_LAZY | __RTLD_DLOPEN | __RTLD_AUDIT,
++  args->map = _dl_open (args->fname,
++			(RTLD_LAZY | __RTLD_DLOPEN | __RTLD_AUDIT
++			 | __RTLD_SECURE),
+ 			dl_main, LM_ID_NEWLM, _dl_argc, INTUSE(_dl_argv),
+ 			__environ);
+ }
+@@ -804,8 +804,7 @@ do_preload (char *fname, struct link_map *main_map, const char *where)
+ 
+   args.str = fname;
+   args.loader = main_map;
+-  args.is_preloaded = 1;
+-  args.mode = 0;
++  args.mode = __RTLD_SECURE;
+ 
+   unsigned int old_nloaded = GL(dl_ns)[LM_ID_BASE]._ns_nloaded;
+ 
+@@ -1050,7 +1049,6 @@ of this helper program; chances are you did not intend to run this program.\n\
+ 
+ 	  args.str = rtld_progname;
+ 	  args.loader = NULL;
+-	  args.is_preloaded = 0;
+ 	  args.mode = __RTLD_OPENEXEC;
+ 	  (void) _dl_catch_error (&objname, &err_str, &malloced, map_doit,
+ 				  &args);
+@@ -1062,7 +1060,7 @@ of this helper program; chances are you did not intend to run this program.\n\
+       else
+ 	{
+ 	  HP_TIMING_NOW (start);
+-	  _dl_map_object (NULL, rtld_progname, 0, lt_library, 0,
++	  _dl_map_object (NULL, rtld_progname, lt_library, 0,
+ 			  __RTLD_OPENEXEC, LM_ID_BASE);
+ 	  HP_TIMING_NOW (stop);
+ 
+diff --git a/include/dlfcn.h b/include/dlfcn.h
+index a67426d..af92483 100644
+--- a/include/dlfcn.h
++++ b/include/dlfcn.h
+@@ -9,6 +9,7 @@
+ #define __RTLD_OPENEXEC	0x20000000
+ #define __RTLD_CALLMAP	0x10000000
+ #define __RTLD_AUDIT	0x08000000
++#define __RTLD_SECURE	0x04000000 /* Apply additional security checks.  */
+ 
+ #define __LM_ID_CALLER	-2
+ 
+diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
+index fcc943b..fa4b6b2 100644
+--- a/sysdeps/generic/ldsodefs.h
++++ b/sysdeps/generic/ldsodefs.h
+@@ -824,11 +824,9 @@ extern void _dl_receive_error (receiver_fct fct, void (*operate) (void *),
+ 
+ /* Open the shared object NAME and map in its segments.
+    LOADER's DT_RPATH is used in searching for NAME.
+-   If the object is already opened, returns its existing map.
+-   For preloaded shared objects PRELOADED is set to a non-zero
+-   value to allow additional security checks.  */
++   If the object is already opened, returns its existing map.  */
+ extern struct link_map *_dl_map_object (struct link_map *loader,
+-					const char *name, int preloaded,
++					const char *name,
+ 					int type, int trace_mode, int mode,
+ 					Lmid_t nsid)
+      internal_function attribute_hidden;
+
diff --git a/glibc/Pkgfile b/glibc/Pkgfile
index 9d1786b3..15dd1572 100644
--- a/glibc/Pkgfile
+++ b/glibc/Pkgfile
@@ -4,10 +4,11 @@
 
 name=glibc
 version=2.10.1
-release=2
+release=3
 source=(http://ftp.gnu.org/gnu/glibc/glibc-$version.tar.bz2
         http://ftp.gnu.org/gnu/glibc/glibc-libidn-$version.tar.bz2 
         http://crux.nu/files/distfiles/kernel-headers-2.6.29-1.tar.bz2
+        CVE-2010-3847.patch CVE-2010-3856.patch
         hosts resolv.conf nsswitch.conf host.conf ld.so.conf)
 
 build() {
@@ -19,6 +20,9 @@ build() {
     # libidn files
     mv $name-libidn-$version $name-$version/libidn
 
+    patch -p1 -d $name-$version -i $SRC/CVE-2010-3847.patch
+    patch -p1 -d $name-$version -i $SRC/CVE-2010-3856.patch
+
     mkdir build
     cd build
     ../$name-$version/configure --prefix=/usr \