When there are many bits set in LD_HWCAP_MASK, an integer overflow could result in too little memory being allocated, potentially resulting in an exploitable condition. Reproduce: $ env -i LD_HWCAP_MASK=$((0xffffffff)) su $ strace -emmap2 -f env -i LD_HWCAP_MASK=$((0x7fffffff)) su As hwcap_mask is honoured for suid binaries, this is a security issue. Attached patch disabled this, as some other distributions have already done (eg, Owl). Vapier, could you prepare an updated ebuild incorporating this patch? Please dont commit it to portage yet, as this issue may require an embargo.
Created attachment 123536 [details, diff] ignore HWCAP_MASK for suid/sgid
this is CVE-2007-3508.
This is in the tree now as -r4 per a taviso request. solar@hangover / $ LD_HWCAP_MASK=$((0xffffffff)) id Inconsistency detected by ld.so: dl-minimal.c: 84: __libc_memalign: Assertion `page != ((void *) -1)' failed! solar@hangover / $ LD_HWCAP_MASK=$((0xffffffff)) su Password: http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/glibc/2.5/ as patch 1600
x86: Please test and mark stable sys-libs/glibc-2.5-r4, in particular, please ensure that the following command succeeds: $ env -i LD_HWCAP_MASK=$((0xffffffff)) su
x86 stable, changing status to glsa?
Shouldn't amd64 be marking this stable too before you do the glsa...
Is there any chance of having a 2.3 and 2.4 version of Glibc made available for this - some binary packages (HelixServer for instance) have problems with some versions of glibc, and if you have to run them, it'd be nice to be able to run them on a secure version of glibc.
Jeremy: we believe only x86 is affected, a 64bit arch like amd64 should be safe Calum: This only affects suid applications, so unless your server is setuid, this shouldnt affect you
Aaah, thanks for the reply. Doesn't it mean though that someone could use a "standard" suid program such as su/mount/passwd to gain root though?
what's the upstream status ? has anyone posted there ? if not, i'll take it up
GLSA 200707-04
Vapier: Yep, it's fixed in upstream CVS http://sourceware.org/cgi-bin/cvsweb.cgi/libc/ChangeLog.diff?r1=1.10688&r2=1.10689&cvsroot=glibc&sortby=date (they fixed the bug, rather than just blacklisting it for suid)
ok, i checked for the mask rather than the fix ... i'll update our patches to match upstream ... thanks
considering all arches parse glsa's, i think all should stabilize ... especially since it's pretty trivial/non-invasive
ppc64 stable
reopening bug, so this pops up in bug lists of stable marking monkeys ^^
alpha/ia64 stable
mips stable.
(In reply to comment #8) > Jeremy: we believe only x86 is affected, a 64bit arch like amd64 should be safe 32bit suid apps on amd64 are affected though... $ env -i LD_HWCAP_MASK=$((0xffffffff)) /mnt/gentoo32/bin/su Segmentation fault
Stable for HPPA.
sparc stable.
ppc stable
amd64 stable
Any reason this is still open?
I don't think so.
