Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
Problem description: Trustix Security Engineers identified that all these packages had one or more script(s) that handled temporary files in an insecure manner. While it is not believed that any of these holes could lead to privilege escalation, it would be possible to trick the scripts to overwrite data writable by the user that invokes the script. These problems can only be exploited by local users, and they would have to wait for someone else, preferably root, to run the vulnerable scripts.
Created an attachment (id=41097) [details] glibc-2.3.2-tempfile.patch Trustix patch to fix insecure tempfile handling
toolchain herd, please verify and apply patch if necessary. After quickly skimming through it, it seems that our stable glibc-2.3.3.20040420-r1 is vulnerable.
Well. I can confirm that it patches clean. But overall that revision of glibc is pretty old and it's advised to never downgrade your glibc so I can't test this on behalf of the toolchain herd. Should we attempt to apply to other versions of glibc? Do you have patches for any other revision of glibc?
I think it's probably safe to patch other versions as well. After comparing it to the stable version 2.3.3.20040420-r1, the catchsegv.sh file is *exactly* the same as in 2.3.2, the glibcbug.in file doesn't exist, and there is a minor 1 line difference in the oldtmpfile.c code. The patch was written by Trustix for their stable version of gcc, but seems to be safe for ours. It's totally your call though.
Created an attachment (id=41123) [details] glibc-2.3.3-tempfile.patch Modified tempfile patch for glibc-2.3.3
Created an attachment (id=41157) [details] glibc-mega-tempfile-update.diff I want somebody to test this before it gets committed to the tree.
glibc-2.2.5 (was not patched)
damnit dude. can you attach the actual ebuilds. File to patch: glibc-2.3.2-r12.ebuild glibc-2.3.2-r12.ebuild: No such file or directory Skip this patch? [y] etc.
...or at least diffs between ebuilds?
Damnit what? I'm not in the mood to take shit from you or anybody else. I'm not attaching a bunch of little files. I can attach a tarball. Or you can do the same darn thing I did. I added the patches to every ebuild in roughly the same spot. If you would of not touched the glibc like you said you wouldnt till this security problem was resolved it would of patched clean.
Created an attachment (id=41323) [details] glibc ebuilds tarball sys-libs/glibc tarball
...my bad. the patch has been added in cvs. ...has it been submitted upstream?
I am updating to sys-libs/glibc-2.3.3.20040420-r2 from sys-libs/glibc-2.3.3.20040420-r1. Several times now, the build routine has been broken and mentions a stack smashing attack. CPP='gcc -E -x c-header' /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/elf/ld-linux.so.2 --library-path /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/math:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/elf:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/dlfcn:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nss:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nis:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/rt:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/resolv:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/crypt:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nptl /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcgen -Y ../scripts -c rpcsvc/bootparam_prot.x -o /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/xbootparam_prot.T rpcgen: stack smashing attack in function __guard_setup() .././scripts/mkinstalldirs /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcsvc .././scripts/mkinstalldirs /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcsvc mkdir /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcsvc make[2]: *** [/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/xbootparam_prot.stmp] Aborted make[2]: *** Waiting for unfinished jobs.... make[2]: *** Waiting for unfinished jobs.... CPP='gcc -E -x c-header' /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/elf/ld-linux.so.2 --library-path /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/math:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/elf:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/dlfcn:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nss:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nis:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/rt:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/resolv:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/crypt:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nptl /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcgen -Y ../scripts -c rpcsvc/nlm_prot.x -o /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/xnlm_prot.T rpcgen: stack smashing attack in function __guard_setup() make[2]: *** Waiting for unfinished jobs.... make[2]: *** Waiting for unfinished jobs.... CPP='gcc -E -x c-header' /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/elf/ld-linux.so.2 --library-path /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/math:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/elf:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/dlfcn:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nss:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nis:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/rt:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/resolv:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/crypt:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nptl /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcgen -Y ../scripts -h rpcsvc/bootparam_prot.x -o /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcsvc/bootparam_prot.T rpcgen: stack smashing attack in function __guard_setup() make[2]: *** Waiting for unfinished jobs.... CPP='gcc -E -x c-header' /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/elf/ld-linux.so.2 --library-path /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/math:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/elf:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/dlfcn:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nss:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nis:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/rt:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/resolv:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/crypt:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nptl /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcgen -Y ../scripts -h rpcsvc/nlm_prot.x -o /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcsvc/nlm_prot.T rpcgen: stack smashing attack in function __guard_setup() make[2]: *** Waiting for unfinished jobs.... make[2]: *** [/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/xnlm_prot.stmp] Aborted make[2]: *** [/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcsvc/bootparam_prot.stmp] Aborted make[1]: *** [sunrpc/others] Error 2 make[1]: Leaving directory `/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2' make: *** [all] Error 2 !!! ERROR: sys-libs/glibc-2.3.3.20040420-r2 failed. !!! Function src_compile, Line 592, Exitcode 2 !!! (no error message) I have never had this problem building glibc before. Here is the portage information: Portage 2.0.50-r11 (default-x86-2004.2, gcc-3.3.4, glibc-2.3.3.20040420-r1, 2.6.8-gentoo-r3) ================================================================= System uname: 2.6.8-gentoo-r3 i686 Pentium III (Katmai) Gentoo Base System version 1.4.16 distcc 2.16 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [enabled] Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.5-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O3 -march=pentium3 -mcpu=pentium3 -fprefetch-loop-arrays -fomit-frame-pointer -pipe -ftracer -fstack-protector" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -march=pentium3 -mcpu=pentium3 -fprefetch-loop-arrays -fomit-frame-pointer -pipe -ftracer -fstack-protector" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs buildpkg ccache distcc fixpackages sandbox strict" GENTOO_MIRRORS="ftp://localhost/linux/gentoo ftp://mirrors.tds.net/gentoo http://mirrors.tds.net/gentoo http://gentoo.mirrors.pair.com/ http://mirror.datapipe.net/gentoo" MAKEOPTS="-j8" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.us.gentoo.org/gentoo-portage" USE="apm arts avi berkdb bitmap-fonts cjk crypt cups encode foomaticdb gdbm gif gpm gtk2 imlib jpeg justify kde libg++ libwww mad mikmod mmx mpeg ncurses nls nptl oggvorbis opengl oss pam parse-clocks pdflib perl pic png python qt quicktime readline sdl slang spell sse ssl tcpd truetype unicode x86 xml2 xmms xprint xv zlib"
that does not have to do w/ this bug, remove -fstack-protector from CFLAGS/CXXFLAGS. If you want a hardened setup, use the hardened use flag instead (and rebuild gcc)
The upgrade from glibc-2.3.3.20040420-r1 to r2 makes things segmentation fault. :( Recompiling those applications doesn't solve it. nxsty@Isidor nxsty $ xmms Segmenteringsfel nxsty@Isidor nxsty $ mplayer Segmenteringsfel X doesn't start either. Portage 2.0.50-r11 (default-x86-2004.2, gcc-3.4.1, glibc-2.3.3.20040420-r2, 2.6.9-rc3-ck2) ================================================================= System uname: 2.6.9-rc3-ck2 i686 AMD Athlon(tm) XP 2800+ Gentoo Base System version 1.4.16 Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.5-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=athlon-xp -pipe -fomit-frame-pointer -ffast-math -g0 -DNO_DEBUG -DNDEBUG" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -pipe -fomit-frame-pointer -ffast-math -g0 -DNO_DEBUG -DNDEBUG -fvisibility-inlines-hidden -fno-enforce-eh-specs" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox" GENTOO_MIRRORS="http://mirror.pudas.net/gentoo ftp://ftp.rhnet.is/pub/gentoo/ ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ http://ftp.rhnet.is/pub/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow X aalib alsa apm avi berkdb bitmap-fonts caps cdr crypt dga dvd dvdr encode esd esound f77 fbcon foomaticdb gdbm gif gnome gphoto2 gpm gtk gtk2 imlib jack jack-tmpfs java jpeg libg++ libwww linguas_sv mad mikmod mmx mng motif mozilla mpeg ncurses nls nptl objc offensive oggvorbis opengl pam pdflib perl pic png pnp python qt quicktime readline samba sdl slang spell sse ssl svg svga tcpd tiff truetype unicode usb userlocales video_cards_radeon x86 xine xml xml2 xmms xprint xv xvid zlib"
Ignore my previous post. The problems where probably caused by some weird filesystem error trigered by my glibc update. There is a lot of xfs changes in 2.6.9-rc* and I use xfs on my / so I should report this to lkml instead.
Using -DNDEBUG in CFLAGS is a really bad idea. Don't do it. Your opening yourself to all sorts of holes and we wont take anything you report seriously.
so... what does upstream think/say about this patch? lewk?
This issue still exists in the current libc cvs tree, and I have been unable to find any news regarding this issue on any of their mailing lists. I'm pretty sure this issue never made it upstream from Trustix, so I helped. http://sources.redhat.com/bugzilla/show_bug.cgi?id=446
Upstream shot down patch because there wasn't enough information about what exactly the problems that the patch fixes are. I don't know much more about the patches, so I couldn't put anything else really. Well, that was a waste of time. Toolchain, it's your call what to do next.
This is CAN-2004-0968
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136318
In cvs, keywords maintained, upstream looks ok (from RedHat bug) : This is all ready for a GLSA.
GLSA 200410-19
