183844 2007-07-01 15:29 0000 sys-libs/glibc: integer overflow in ld.so CVE-2007-3508 2007-09-12 05:19:41 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED A1 [glsa] P2 major --- 1 taviso@gentoo.org security@gentoo.org caluml@gmail.com gengor@gentoo.org ssuominen@gentoo.org toolchain@gentoo.org taviso@gentoo.org 2007-07-01 15:29:48 0000 When there are many bits set in LD_HWCAP_MASK, an integer overflow could result in too little memory being allocated, potentially resulting in an exploitable condition. Reproduce: $ env -i LD_HWCAP_MASK=$((0xffffffff)) su $ strace -emmap2 -f env -i LD_HWCAP_MASK=$((0x7fffffff)) su As hwcap_mask is honoured for suid binaries, this is a security issue. Attached patch disabled this, as some other distributions have already done (eg, Owl). Vapier, could you prepare an updated ebuild incorporating this patch? Please dont commit it to portage yet, as this issue may require an embargo. taviso@gentoo.org 2007-07-01 15:30:21 0000 Created an attachment (id=123536) ignore HWCAP_MASK for suid/sgid taviso@gentoo.org 2007-07-02 21:54:28 0000 this is CVE-2007-3508. solar@gentoo.org 2007-07-03 03:13:22 0000 This is in the tree now as -r4 per a taviso request. solar@hangover / $ LD_HWCAP_MASK=$((0xffffffff)) id Inconsistency detected by ld.so: dl-minimal.c: 84: __libc_memalign: Assertion `page != ((void *) -1)' failed! solar@hangover / $ LD_HWCAP_MASK=$((0xffffffff)) su Password: http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/glibc/2.5/ as patch 1600 taviso@gentoo.org 2007-07-03 09:21:59 0000 x86: Please test and mark stable sys-libs/glibc-2.5-r4, in particular, please ensure that the following command succeeds: $ env -i LD_HWCAP_MASK=$((0xffffffff)) su fauli@gentoo.org 2007-07-03 13:09:50 0000 x86 stable, changing status to glsa? eradicator@gentoo.org 2007-07-04 08:51:42 0000 Shouldn't amd64 be marking this stable too before you do the glsa... caluml@gmail.com 2007-07-05 09:11:04 0000 Is there any chance of having a 2.3 and 2.4 version of Glibc made available for this - some binary packages (HelixServer for instance) have problems with some versions of glibc, and if you have to run them, it'd be nice to be able to run them on a secure version of glibc. taviso@gentoo.org 2007-07-05 10:07:53 0000 Jeremy: we believe only x86 is affected, a 64bit arch like amd64 should be safe Calum: This only affects suid applications, so unless your server is setuid, this shouldnt affect you caluml@gmail.com 2007-07-05 10:35:47 0000 Aaah, thanks for the reply. Doesn't it mean though that someone could use a "standard" suid program such as su/mount/passwd to gain root though? vapier@gentoo.org 2007-07-05 21:06:53 0000 what's the upstream status ? has anyone posted there ? if not, i'll take it up falco@gentoo.org 2007-07-06 09:10:35 0000 GLSA 200707-04 taviso@gentoo.org 2007-07-06 11:39:25 0000 Vapier: Yep, it's fixed in upstream CVS http://sourceware.org/cgi-bin/cvsweb.cgi/libc/ChangeLog.diff?r1=1.10688&r2=1.10689&cvsroot=glibc&sortby=date (they fixed the bug, rather than just blacklisting it for suid) vapier@gentoo.org 2007-07-06 15:26:25 0000 ok, i checked for the mask rather than the fix ... i'll update our patches to match upstream ... thanks vapier@gentoo.org 2007-07-07 04:13:31 0000 considering all arches parse glsa's, i think all should stabilize ... especially since it's pretty trivial/non-invasive corsair@gentoo.org 2007-07-07 13:12:29 0000 ppc64 stable corsair@gentoo.org 2007-07-07 13:13:19 0000 reopening bug, so this pops up in bug lists of stable marking monkeys ^^ armin76@gentoo.org 2007-07-07 14:35:01 0000 alpha/ia64 stable kumba@gentoo.org 2007-07-07 16:19:26 0000 mips stable. eradicator@gentoo.org 2007-07-08 15:42:54 0000 (In reply to comment #8) > Jeremy: we believe only x86 is affected, a 64bit arch like amd64 should be safe 32bit suid apps on amd64 are affected though... $ env -i LD_HWCAP_MASK=$((0xffffffff)) /mnt/gentoo32/bin/su Segmentation fault jer@gentoo.org 2007-07-09 04:03:08 0000 Stable for HPPA. gustavoz@gentoo.org 2007-07-10 12:25:19 0000 sparc stable. dertobi123@gentoo.org 2007-07-10 18:41:02 0000 ppc stable angelos@gentoo.org 2007-07-15 12:11:30 0000 amd64 stable rbu@gentoo.org 2007-09-11 22:24:39 0000 Any reason this is still open? jaervosz@gentoo.org 2007-09-12 05:19:41 0000 I don't think so. 123536 2007-07-01 15:30 0000 ignore HWCAP_MASK for suid/sgid glibc-hwcap-mask-secure.diff text/plain ZGlmZiAtcnVOcCBlbGYvcnRsZC5jIGVsZi9ydGxkLmMKLS0tIGVsZi9ydGxkLmMJMjAwNy0wNy0w MSAxNjoyMTo1NS4wMDAwMDAwMDAgKzAxMDAKKysrIGVsZi9ydGxkLmMJMjAwNy0wNy0wMSAxNjoy MDozOC4wMDAwMDAwMDAgKzAxMDAKQEAgLTI1ODcsNyArMjU4Nyw4IEBAIHByb2Nlc3NfZW52dmFy cyAoZW51bSBtb2RlICptb2RlcCkKIAogCWNhc2UgMTA6CiAJICAvKiBNYXNrIGZvciB0aGUgaW1w b3J0YW50IGhhcmR3YXJlIGNhcGFiaWxpdGllcy4gICovCi0JICBpZiAobWVtY21wIChlbnZsaW5l LCAiSFdDQVBfTUFTSyIsIDEwKSA9PSAwKQorCSAgaWYgKCFJTlRVU0UoX19saWJjX2VuYWJsZV9z ZWN1cmUpCisgICAgICAgICAgJiYgbWVtY21wIChlbnZsaW5lLCAiSFdDQVBfTUFTSyIsIDEwKSA9 PSAwKQogCSAgICBHTFJPKGRsX2h3Y2FwX21hc2spID0gX19zdHJ0b3VsX2ludGVybmFsICgmZW52 bGluZVsxMV0sIE5VTEwsCiAJCQkJCQkgICAgICAwLCAwKTsKIAkgIGJyZWFrOwpkaWZmIC1ydU5w IHN5c2RlcHMvZ2VuZXJpYy91bnNlY3ZhcnMuaCBzeXNkZXBzL2dlbmVyaWMvdW5zZWN2YXJzLmgK LS0tIHN5c2RlcHMvZ2VuZXJpYy91bnNlY3ZhcnMuaAkyMDA1LTAxLTA2IDIyOjQwOjE5LjAwMDAw MDAwMCArMDAwMAorKysgc3lzZGVwcy9nZW5lcmljL3Vuc2VjdmFycy5oCTIwMDctMDctMDEgMTY6 MjE6MjEuMDAwMDAwMDAwICswMTAwCkBAIC05LDYgKzksNyBAQAogICAiTERfREVCVUdcMCIJCQkJ CQkJCSAgICAgIFwKICAgIkxEX0RFQlVHX09VVFBVVFwwIgkJCQkJCQkgICAgICBcCiAgICJMRF9E WU5BTUlDX1dFQUtcMCIJCQkJCQkJICAgICAgXAorICAiTERfSFdDQVBfTUFTS1wwIiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBcCiAgICJMRF9MSUJSQVJZX1BBVEhcMCIJCQkJCQkJICAg ICAgXAogICAiTERfT1JJR0lOX1BBVEhcMCIJCQkJCQkJICAgICAgXAogICAiTERfUFJFTE9BRFww IgkJCQkJCQkgICAgICBcCg==