Summary: | sys-libs/glibc: integer overflow in ld.so CVE-2007-3508 | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Tavis Ormandy (RETIRED) <taviso> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | caluml, gengor, ssuominen, toolchain | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | A1 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Tavis Ormandy (RETIRED)
2007-07-01 15:29:48 UTC
Created attachment 123536 [details, diff]
ignore HWCAP_MASK for suid/sgid
this is CVE-2007-3508. This is in the tree now as -r4 per a taviso request. solar@hangover / $ LD_HWCAP_MASK=$((0xffffffff)) id Inconsistency detected by ld.so: dl-minimal.c: 84: __libc_memalign: Assertion `page != ((void *) -1)' failed! solar@hangover / $ LD_HWCAP_MASK=$((0xffffffff)) su Password: http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/glibc/2.5/ as patch 1600 x86: Please test and mark stable sys-libs/glibc-2.5-r4, in particular, please ensure that the following command succeeds: $ env -i LD_HWCAP_MASK=$((0xffffffff)) su x86 stable, changing status to glsa? Shouldn't amd64 be marking this stable too before you do the glsa... Is there any chance of having a 2.3 and 2.4 version of Glibc made available for this - some binary packages (HelixServer for instance) have problems with some versions of glibc, and if you have to run them, it'd be nice to be able to run them on a secure version of glibc. Jeremy: we believe only x86 is affected, a 64bit arch like amd64 should be safe Calum: This only affects suid applications, so unless your server is setuid, this shouldnt affect you Aaah, thanks for the reply. Doesn't it mean though that someone could use a "standard" suid program such as su/mount/passwd to gain root though? what's the upstream status ? has anyone posted there ? if not, i'll take it up GLSA 200707-04 Vapier: Yep, it's fixed in upstream CVS http://sourceware.org/cgi-bin/cvsweb.cgi/libc/ChangeLog.diff?r1=1.10688&r2=1.10689&cvsroot=glibc&sortby=date (they fixed the bug, rather than just blacklisting it for suid) ok, i checked for the mask rather than the fix ... i'll update our patches to match upstream ... thanks considering all arches parse glsa's, i think all should stabilize ... especially since it's pretty trivial/non-invasive ppc64 stable reopening bug, so this pops up in bug lists of stable marking monkeys ^^ alpha/ia64 stable mips stable. (In reply to comment #8) > Jeremy: we believe only x86 is affected, a 64bit arch like amd64 should be safe 32bit suid apps on amd64 are affected though... $ env -i LD_HWCAP_MASK=$((0xffffffff)) /mnt/gentoo32/bin/su Segmentation fault Stable for HPPA. sparc stable. ppc stable amd64 stable Any reason this is still open? I don't think so. |