[arch-commits] Commit in glibc/trunk (4 files)
Allan McRae
allan at archlinux.org
Mon Oct 25 06:51:35 UTC 2010
Date: Monday, October 25, 2010 @ 02:51:35
Author: allan
Revision: 96837
upgpkg: glibc 2.12.1-3
fix some expoits and other bugs
Added:
glibc/trunk/glibc-2.12.1-fix-IPTOS_CLASS-definition.patch
glibc/trunk/glibc-2.12.1-never-expand-origin-when-privileged.patch
glibc/trunk/glibc-2.12.1-require-suid-on-audit.patch
Modified:
glibc/trunk/PKGBUILD
--------------------------------------------------------+
PKGBUILD | 23 +
glibc-2.12.1-fix-IPTOS_CLASS-definition.patch | 34 ++
glibc-2.12.1-never-expand-origin-when-privileged.patch | 85 +++++
glibc-2.12.1-require-suid-on-audit.patch | 218 +++++++++++++++
4 files changed, 357 insertions(+), 3 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2010-10-25 06:16:22 UTC (rev 96836)
+++ PKGBUILD 2010-10-25 06:51:35 UTC (rev 96837)
@@ -7,8 +7,8 @@
pkgname=glibc
pkgver=2.12.1
-pkgrel=2
-_glibcdate=20101007
+pkgrel=3
+_glibcdate=20101025
pkgdesc="GNU C Library"
arch=('i686' 'x86_64')
url="http://www.gnu.org/software/libc"
@@ -28,16 +28,22 @@
glibc-2.12.1-make-3.82-compatibility.patch
glibc-2.12.1-static-shared-getpagesize.patch
glibc-2.12.1-but-I-am-an-i686.patch
+ glibc-2.12.1-fix-IPTOS_CLASS-definition.patch
+ glibc-2.12.1-never-expand-origin-when-privileged.patch
+ glibc-2.12.1-require-suid-on-audit.patch
nscd
locale.gen.txt
locale-gen)
-md5sums=('17189b123cebeb71cf7b7e7416b601a6'
+md5sums=('b12192eff7306f2a6e919641b847e7cf'
'4dadb9203b69a3210d53514bb46f41c3'
'0c5540efc51c0b93996c51b57a8540ae'
'40cd342e21f71f5e49e32622b25acc52'
'1deecaa78c0909f7175732da2af796b5'
'3215ed6996e7ecdd35bc105937c6e0dc'
'de17165e3fa721c4e056dacfc9ee1e52'
+ 'fdc0908c9971fcf9b32e1185954b6eeb'
+ 'e154dbe21d4e24968ab257ffd9c106f2'
+ 'bbc99319ad78fe9eb1ac217efc770ac6'
'b587ee3a70c9b3713099295609afde49'
'07ac979b6ab5eeb778d55f041529d623'
'476e9113489f93b348b21e144b6a8fcf')
@@ -73,6 +79,17 @@
# proper fix will be in binutils-2.21
patch -Np1 -i ${srcdir}/glibc-2.12.1-but-I-am-an-i686.patch
+ # http://www.exploit-db.com/exploits/15274/
+ # http://sourceware.org/git/?p=glibc.git;a=patch;h=2232b90f (only fedora branch...)
+ patch -Np1 -i ${srcdir}/glibc-2.12.1-never-expand-origin-when-privileged.patch
+
+ # http://www.exploit-db.com/exploits/15304/
+ # http://sourceware.org/git/?p=glibc.git;a=patch;h=8e9f92e9
+ patch -Np1 -i ${srcdir}/glibc-2.12.1-require-suid-on-audit.patch
+
+ # http://sources.redhat.com/git/?p=glibc.git;a=patch;h=15bac72b
+ patch -Np1 -i ${srcdir}/glibc-2.12.1-fix-IPTOS_CLASS-definition.patch
+
install -dm755 ${pkgdir}/etc
touch ${pkgdir}/etc/ld.so.conf
Added: glibc-2.12.1-fix-IPTOS_CLASS-definition.patch
===================================================================
--- glibc-2.12.1-fix-IPTOS_CLASS-definition.patch (rev 0)
+++ glibc-2.12.1-fix-IPTOS_CLASS-definition.patch 2010-10-25 06:51:35 UTC (rev 96837)
@@ -0,0 +1,34 @@
+From 15bac72bac03faeb3b725b1d208c62160f0c3ad7 Mon Sep 17 00:00:00 2001
+From: Ulrich Drepper <drepper at redhat.com>
+Date: Wed, 11 Aug 2010 07:44:03 -0700
+Subject: [PATCH] Fix IPTOS_CLASS definition.
+
+---
+ ChangeLog | 4 ++++
+ NEWS | 4 ++--
+ sysdeps/generic/netinet/ip.h | 5 ++---
+ 3 files changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/sysdeps/generic/netinet/ip.h b/sysdeps/generic/netinet/ip.h
+index a837b98..4955fee 100644
+--- a/sysdeps/generic/netinet/ip.h
++++ b/sysdeps/generic/netinet/ip.h
+@@ -1,5 +1,4 @@
+-/* Copyright (C) 1991,92,93,95,96,97,98,99,2000,2009 Free Software
+- Foundation, Inc.
++/* Copyright (C) 1991-1993,1995-2000,2009,2010 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+@@ -194,7 +193,7 @@ struct ip_timestamp
+ */
+
+ #define IPTOS_CLASS_MASK 0xe0
+-#define IPTOS_CLASS(class) ((tos) & IPTOS_CLASS_MASK)
++#define IPTOS_CLASS(class) ((class) & IPTOS_CLASS_MASK)
+ #define IPTOS_CLASS_CS0 0x00
+ #define IPTOS_CLASS_CS1 0x20
+ #define IPTOS_CLASS_CS2 0x40
+--
+1.7.2
+
Added: glibc-2.12.1-never-expand-origin-when-privileged.patch
===================================================================
--- glibc-2.12.1-never-expand-origin-when-privileged.patch (rev 0)
+++ glibc-2.12.1-never-expand-origin-when-privileged.patch 2010-10-25 06:51:35 UTC (rev 96837)
@@ -0,0 +1,85 @@
+From 2232b90f0bd3a41b4d63cac98a5b60abbfaccd46 Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab at redhat.com>
+Date: Mon, 18 Oct 2010 11:46:00 +0200
+Subject: [PATCH] Never expand $ORIGIN in privileged programs
+
+---
+ ChangeLog | 6 ++++++
+ elf/dl-load.c | 30 +++++++++++++-----------------
+ 2 files changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/elf/dl-load.c b/elf/dl-load.c
+index 0adddf5..1cc6f25 100644
+--- a/elf/dl-load.c
++++ b/elf/dl-load.c
+@@ -169,8 +169,7 @@ local_strdup (const char *s)
+
+
+ static size_t
+-is_dst (const char *start, const char *name, const char *str,
+- int is_path, int secure)
++is_dst (const char *start, const char *name, const char *str, int is_path)
+ {
+ size_t len;
+ bool is_curly = false;
+@@ -199,11 +198,6 @@ is_dst (const char *start, const char *name, const char *str,
+ && (!is_path || name[len] != ':'))
+ return 0;
+
+- if (__builtin_expect (secure, 0)
+- && ((name[len] != '\0' && (!is_path || name[len] != ':'))
+- || (name != start + 1 && (!is_path || name[-2] != ':'))))
+- return 0;
+-
+ return len;
+ }
+
+@@ -218,13 +212,12 @@ _dl_dst_count (const char *name, int is_path)
+ {
+ size_t len;
+
+- /* $ORIGIN is not expanded for SUID/GUID programs (except if it
+- is $ORIGIN alone) and it must always appear first in path. */
++ /* $ORIGIN is not expanded for SUID/GUID programs. */
+ ++name;
+- if ((len = is_dst (start, name, "ORIGIN", is_path,
+- INTUSE(__libc_enable_secure))) != 0
+- || (len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0
+- || (len = is_dst (start, name, "LIB", is_path, 0)) != 0)
++ if (((len = is_dst (start, name, "ORIGIN", is_path)) != 0
++ && !INTUSE(__libc_enable_secure))
++ || (len = is_dst (start, name, "PLATFORM", is_path)) != 0
++ || (len = is_dst (start, name, "LIB", is_path)) != 0)
+ ++cnt;
+
+ name = strchr (name + len, '$');
+@@ -256,9 +249,12 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result,
+ size_t len;
+
+ ++name;
+- if ((len = is_dst (start, name, "ORIGIN", is_path,
+- INTUSE(__libc_enable_secure))) != 0)
++ if ((len = is_dst (start, name, "ORIGIN", is_path)) != 0)
+ {
++ /* Ignore this path element in SUID/SGID programs. */
++ if (INTUSE(__libc_enable_secure))
++ repl = (const char *) -1;
++ else
+ #ifndef SHARED
+ if (l == NULL)
+ repl = _dl_get_origin ();
+@@ -266,9 +262,9 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result,
+ #endif
+ repl = l->l_origin;
+ }
+- else if ((len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0)
++ else if ((len = is_dst (start, name, "PLATFORM", is_path)) != 0)
+ repl = GLRO(dl_platform);
+- else if ((len = is_dst (start, name, "LIB", is_path, 0)) != 0)
++ else if ((len = is_dst (start, name, "LIB", is_path)) != 0)
+ repl = DL_DST_LIB;
+
+ if (repl != NULL && repl != (const char *) -1)
+--
+1.7.2
+
Added: glibc-2.12.1-require-suid-on-audit.patch
===================================================================
--- glibc-2.12.1-require-suid-on-audit.patch (rev 0)
+++ glibc-2.12.1-require-suid-on-audit.patch 2010-10-25 06:51:35 UTC (rev 96837)
@@ -0,0 +1,218 @@
+From 8e9f92e9d5d7737afdacf79b76d98c4c42980508 Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab at redhat.com>
+Date: Sun, 24 Oct 2010 21:43:15 -0400
+Subject: [PATCH 1/1] Require suid bit on audit objects in privileged programs
+
+---
+ ChangeLog | 15 +++++++++++++++
+ elf/dl-deps.c | 2 +-
+ elf/dl-load.c | 20 +++++++++++---------
+ elf/dl-open.c | 2 +-
+ elf/rtld.c | 16 +++++++---------
+ include/dlfcn.h | 1 +
+ sysdeps/generic/ldsodefs.h | 6 ++----
+ 7 files changed, 38 insertions(+), 24 deletions(-)
+
+diff --git a/elf/dl-deps.c b/elf/dl-deps.c
+index a58de5c..a51fb6e 100644
+--- a/elf/dl-deps.c
++++ b/elf/dl-deps.c
+@@ -62,7 +62,7 @@ openaux (void *a)
+ {
+ struct openaux_args *args = (struct openaux_args *) a;
+
+- args->aux = _dl_map_object (args->map, args->name, 0,
++ args->aux = _dl_map_object (args->map, args->name,
+ (args->map->l_type == lt_executable
+ ? lt_library : args->map->l_type),
+ args->trace_mode, args->open_mode,
+diff --git a/elf/dl-load.c b/elf/dl-load.c
+index a7162eb..aa8738f 100644
+--- a/elf/dl-load.c
++++ b/elf/dl-load.c
+@@ -1812,7 +1812,7 @@ open_verify (const char *name, struct filebuf *fbp, struct link_map *loader,
+ if MAY_FREE_DIRS is true. */
+
+ static int
+-open_path (const char *name, size_t namelen, int preloaded,
++open_path (const char *name, size_t namelen, int secure,
+ struct r_search_path_struct *sps, char **realname,
+ struct filebuf *fbp, struct link_map *loader, int whatcode,
+ bool *found_other_class)
+@@ -1894,7 +1894,7 @@ open_path (const char *name, size_t namelen, int preloaded,
+ /* Remember whether we found any existing directory. */
+ here_any |= this_dir->status[cnt] != nonexisting;
+
+- if (fd != -1 && __builtin_expect (preloaded, 0)
++ if (fd != -1 && __builtin_expect (secure, 0)
+ && INTUSE(__libc_enable_secure))
+ {
+ /* This is an extra security effort to make sure nobody can
+@@ -1963,7 +1963,7 @@ open_path (const char *name, size_t namelen, int preloaded,
+
+ struct link_map *
+ internal_function
+-_dl_map_object (struct link_map *loader, const char *name, int preloaded,
++_dl_map_object (struct link_map *loader, const char *name,
+ int type, int trace_mode, int mode, Lmid_t nsid)
+ {
+ int fd;
+@@ -2067,7 +2067,8 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded,
+ for (l = loader; l; l = l->l_loader)
+ if (cache_rpath (l, &l->l_rpath_dirs, DT_RPATH, "RPATH"))
+ {
+- fd = open_path (name, namelen, preloaded, &l->l_rpath_dirs,
++ fd = open_path (name, namelen, mode & __RTLD_SECURE,
++ &l->l_rpath_dirs,
+ &realname, &fb, loader, LA_SER_RUNPATH,
+ &found_other_class);
+ if (fd != -1)
+@@ -2082,14 +2083,15 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded,
+ && main_map != NULL && main_map->l_type != lt_loaded
+ && cache_rpath (main_map, &main_map->l_rpath_dirs, DT_RPATH,
+ "RPATH"))
+- fd = open_path (name, namelen, preloaded, &main_map->l_rpath_dirs,
++ fd = open_path (name, namelen, mode & __RTLD_SECURE,
++ &main_map->l_rpath_dirs,
+ &realname, &fb, loader ?: main_map, LA_SER_RUNPATH,
+ &found_other_class);
+ }
+
+ /* Try the LD_LIBRARY_PATH environment variable. */
+ if (fd == -1 && env_path_list.dirs != (void *) -1)
+- fd = open_path (name, namelen, preloaded, &env_path_list,
++ fd = open_path (name, namelen, mode & __RTLD_SECURE, &env_path_list,
+ &realname, &fb,
+ loader ?: GL(dl_ns)[LM_ID_BASE]._ns_loaded,
+ LA_SER_LIBPATH, &found_other_class);
+@@ -2098,12 +2100,12 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded,
+ if (fd == -1 && loader != NULL
+ && cache_rpath (loader, &loader->l_runpath_dirs,
+ DT_RUNPATH, "RUNPATH"))
+- fd = open_path (name, namelen, preloaded,
++ fd = open_path (name, namelen, mode & __RTLD_SECURE,
+ &loader->l_runpath_dirs, &realname, &fb, loader,
+ LA_SER_RUNPATH, &found_other_class);
+
+ if (fd == -1
+- && (__builtin_expect (! preloaded, 1)
++ && (__builtin_expect (! (mode & __RTLD_SECURE), 1)
+ || ! INTUSE(__libc_enable_secure)))
+ {
+ /* Check the list of libraries in the file /etc/ld.so.cache,
+@@ -2169,7 +2171,7 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded,
+ && ((l = loader ?: GL(dl_ns)[nsid]._ns_loaded) == NULL
+ || __builtin_expect (!(l->l_flags_1 & DF_1_NODEFLIB), 1))
+ && rtld_search_dirs.dirs != (void *) -1)
+- fd = open_path (name, namelen, preloaded, &rtld_search_dirs,
++ fd = open_path (name, namelen, mode & __RTLD_SECURE, &rtld_search_dirs,
+ &realname, &fb, l, LA_SER_DEFAULT, &found_other_class);
+
+ /* Add another newline when we are tracing the library loading. */
+diff --git a/elf/dl-open.c b/elf/dl-open.c
+index c394b3f..cf8e8cc 100644
+--- a/elf/dl-open.c
++++ b/elf/dl-open.c
+@@ -223,7 +223,7 @@ dl_open_worker (void *a)
+
+ /* Load the named object. */
+ struct link_map *new;
+- args->map = new = _dl_map_object (call_map, file, 0, lt_loaded, 0,
++ args->map = new = _dl_map_object (call_map, file, lt_loaded, 0,
+ mode | __RTLD_CALLMAP, args->nsid);
+
+ /* If the pointer returned is NULL this means the RTLD_NOLOAD flag is
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 5ecc4fe..06b534a 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -589,7 +589,6 @@ struct map_args
+ /* Argument to map_doit. */
+ char *str;
+ struct link_map *loader;
+- int is_preloaded;
+ int mode;
+ /* Return value of map_doit. */
+ struct link_map *map;
+@@ -627,16 +626,17 @@ static void
+ map_doit (void *a)
+ {
+ struct map_args *args = (struct map_args *) a;
+- args->map = _dl_map_object (args->loader, args->str,
+- args->is_preloaded, lt_library, 0, args->mode,
+- LM_ID_BASE);
++ args->map = _dl_map_object (args->loader, args->str, lt_library, 0,
++ args->mode, LM_ID_BASE);
+ }
+
+ static void
+ dlmopen_doit (void *a)
+ {
+ struct dlmopen_args *args = (struct dlmopen_args *) a;
+- args->map = _dl_open (args->fname, RTLD_LAZY | __RTLD_DLOPEN | __RTLD_AUDIT,
++ args->map = _dl_open (args->fname,
++ (RTLD_LAZY | __RTLD_DLOPEN | __RTLD_AUDIT
++ | __RTLD_SECURE),
+ dl_main, LM_ID_NEWLM, _dl_argc, INTUSE(_dl_argv),
+ __environ);
+ }
+@@ -806,8 +806,7 @@ do_preload (char *fname, struct link_map *main_map, const char *where)
+
+ args.str = fname;
+ args.loader = main_map;
+- args.is_preloaded = 1;
+- args.mode = 0;
++ args.mode = __RTLD_SECURE;
+
+ unsigned int old_nloaded = GL(dl_ns)[LM_ID_BASE]._ns_nloaded;
+
+@@ -1054,7 +1053,6 @@ of this helper program; chances are you did not intend to run this program.\n\
+
+ args.str = rtld_progname;
+ args.loader = NULL;
+- args.is_preloaded = 0;
+ args.mode = __RTLD_OPENEXEC;
+ (void) _dl_catch_error (&objname, &err_str, &malloced, map_doit,
+ &args);
+@@ -1066,7 +1064,7 @@ of this helper program; chances are you did not intend to run this program.\n\
+ else
+ {
+ HP_TIMING_NOW (start);
+- _dl_map_object (NULL, rtld_progname, 0, lt_library, 0,
++ _dl_map_object (NULL, rtld_progname, lt_library, 0,
+ __RTLD_OPENEXEC, LM_ID_BASE);
+ HP_TIMING_NOW (stop);
+
+diff --git a/include/dlfcn.h b/include/dlfcn.h
+index a67426d..af92483 100644
+--- a/include/dlfcn.h
++++ b/include/dlfcn.h
+@@ -9,6 +9,7 @@
+ #define __RTLD_OPENEXEC 0x20000000
+ #define __RTLD_CALLMAP 0x10000000
+ #define __RTLD_AUDIT 0x08000000
++#define __RTLD_SECURE 0x04000000 /* Apply additional security checks. */
+
+ #define __LM_ID_CALLER -2
+
+diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
+index fcc943b..fa4b6b2 100644
+--- a/sysdeps/generic/ldsodefs.h
++++ b/sysdeps/generic/ldsodefs.h
+@@ -824,11 +824,9 @@ extern void _dl_receive_error (receiver_fct fct, void (*operate) (void *),
+
+ /* Open the shared object NAME and map in its segments.
+ LOADER's DT_RPATH is used in searching for NAME.
+- If the object is already opened, returns its existing map.
+- For preloaded shared objects PRELOADED is set to a non-zero
+- value to allow additional security checks. */
++ If the object is already opened, returns its existing map. */
+ extern struct link_map *_dl_map_object (struct link_map *loader,
+- const char *name, int preloaded,
++ const char *name,
+ int type, int trace_mode, int mode,
+ Lmid_t nsid)
+ internal_function attribute_hidden;
+--
+1.7.2
+
More information about the arch-commits
mailing list