Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 59526

Summary: sys-libs/glibc potential info leak vuln
Product: Gentoo Security Reporter: Brandon Hale (RETIRED) <tseng>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: A4 [glsa]
Package list:
Runtime testing required: ---

Description Brandon Hale (RETIRED) gentoo-dev 2004-08-05 08:10:19 UTC
There is an issue in Glibc where LD_DEBUG is allowed on suid binaries when it should not be. Patch is applied to glibc-2.3.4.20040619-r1, KEYWORDS="-* ~x86 ~mips ~amd64 ~hppa"
${FILESDIR}/glibc-sec-hotfix-20040804.patch

The patch conflicts with owl-malloc patch in some glibcs, so they are both rolled into the patch. Remove owl-malloc if adding to another glibc.

Arch folks please fix your current glibc or test + keyword a patched version.
Comment 1 SpanKY gentoo-dev 2004-08-05 08:26:03 UTC
hotfix applies cleanly to 2.3.2-r10

we'll also have to touch up the patch to apply cleanly to 2.2.5 (it just needs a
few cosmetic touchups)
Comment 2 SpanKY gentoo-dev 2004-08-05 08:29:34 UTC
all glibc's in portage atm (except for glibc-2.3.4.20040619-r1) need to get
updated and/or pruned

arch maintainers: we'll add the patch and then post the versions that'll need
to get marked stable / unstable
Comment 3 SpanKY gentoo-dev 2004-08-05 10:23:51 UTC
glibc-2.3.2-r11 is in portage ...
these arches are eligible for moving to stable:
x86 ppc sparc mips alpha arm hppa amd64 ia64 s390

this should be pretty painless since the only changes between the previous stables
(glibc-2.3.2-r{9,10}) consists of:
- ebuild clean up (moving flag mangling functions out of global scope)
- no longer stripping libpthread or libthread_db
- this security patch
Comment 4 Tom Martin (RETIRED) gentoo-dev 2004-08-05 11:54:57 UTC
Stable on amd64.
Comment 5 Travis Tilley (RETIRED) gentoo-dev 2004-08-06 03:12:06 UTC
slarti - we dont even use 2.3.2 on amd64... glibc-2.3.4.20040619-r1 has the hotfix and that's what we use. 
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-08-07 03:29:00 UTC
For stable profiles, here is what the arches currently use and should try to mark stable.

This arches use a 2.3.2 and should test and mark the fixed 2.3.2-r11 :
alpha (2.3.2-r9)
arm (2.3.2-r10)
hppa (2.3.2-r10)
ia64 (2.3.2-r9)
s390 (2.3.2-r10)
sparc (2.3.2-r9)

These arches currently use a 2.3.3. For them, a patched 2.3.3 should be produced, or maybe they can directly go for the 2.3.4.20040619-r1 :
mips (2.3.3.20040420)
x86 (2.3.3.20040420) 

This arch uses a 2.3.4. They should test and mark the fixed 2.3.4.20040619-r1 :
ppc64 (2.3.4.20040605)

This arch is already set :
amd64 (2.3.4.20040619-r1)
Comment 7 Aron Griffis (RETIRED) gentoo-dev 2004-08-07 20:05:43 UTC
glibc-2.3.2-r11 marked stable on ia64
Comment 8 SpanKY gentoo-dev 2004-08-08 20:54:48 UTC
stable on arm
Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2004-08-09 07:07:35 UTC
glibc-2.3.2-r11 gone sparc stable.
Comment 10 Brandon Hale (RETIRED) gentoo-dev 2004-08-09 08:03:23 UTC
Added patch to new glibc-2.3.3.20040420-r1 for x86 stablage.
Comment 11 Guy Martin (RETIRED) gentoo-dev 2004-08-09 08:26:21 UTC
Done on hppa.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-09 13:05:55 UTC
We still need ppc for the GLSA to go out.

Also alpha ppc64 s390 should mark stable.
Comment 13 Bryan Østergaard (RETIRED) gentoo-dev 2004-08-11 03:08:34 UTC
glibc-2.3.2-r11 marked stable on alpha.
Comment 14 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2004-08-11 04:03:12 UTC
glibc-2.3.3.20040420-r1 stable on ppc.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-11 04:22:08 UTC
Ready for GLSA. Security please review draft.
Comment 16 solar (RETIRED) gentoo-dev 2004-08-11 17:49:50 UTC
The discovery of this bug and patch comes from Brad Spengler of the grsecurity project.
Comment 17 Brad Spengler 2004-08-11 19:40:30 UTC
Silvio Cesare actually discovered the bug.  I just wrote the patch.
Comment 18 Joshua Kinard gentoo-dev 2004-08-12 18:26:00 UTC
mips stable bumped to 2.3.4.20040619-r1.
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-14 11:33:09 UTC
***bump***
ppc64 and s390 last chance to mark stable before the GLSA go out.
***bump***
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-17 23:31:58 UTC
GLSA 200408-16

ppc64 and s390 please remember to mark stable to benifit from the GLSA.
Comment 21 Tom Gall (RETIRED) gentoo-dev 2004-09-25 22:10:55 UTC
I'll point out there's nothing to be done here for ppc64. We don't use a versoin of glibc that old.