Summary: | sys-libs/glibc: Insecure tempfile handling | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Luke Macken (RETIRED) <lewk> | ||||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||||
Status: | RESOLVED FIXED | ||||||||||||
Severity: | normal | CC: | brant, tigger, toolchain | ||||||||||
Priority: | High | ||||||||||||
Version: | unspecified | ||||||||||||
Hardware: | All | ||||||||||||
OS: | All | ||||||||||||
URL: | http://www.securityfocus.com/advisories/7263 | ||||||||||||
Whiteboard: | A3 [glsa] lewk | ||||||||||||
Package list: | Runtime testing required: | --- | |||||||||||
Attachments: |
|
Description
Luke Macken (RETIRED)
2004-10-04 15:15:01 UTC
Created attachment 41097 [details, diff]
glibc-2.3.2-tempfile.patch
Trustix patch to fix insecure tempfile handling
toolchain herd, please verify and apply patch if necessary. After quickly skimming through it, it seems that our stable glibc-2.3.3.20040420-r1 is vulnerable. Well. I can confirm that it patches clean. But overall that revision of glibc is pretty old and it's advised to never downgrade your glibc so I can't test this on behalf of the toolchain herd. Should we attempt to apply to other versions of glibc? Do you have patches for any other revision of glibc? I think it's probably safe to patch other versions as well. After comparing it to the stable version 2.3.3.20040420-r1, the catchsegv.sh file is *exactly* the same as in 2.3.2, the glibcbug.in file doesn't exist, and there is a minor 1 line difference in the oldtmpfile.c code. The patch was written by Trustix for their stable version of gcc, but seems to be safe for ours. It's totally your call though. Created attachment 41123 [details, diff]
glibc-2.3.3-tempfile.patch
Modified tempfile patch for glibc-2.3.3
Created attachment 41157 [details, diff]
glibc-mega-tempfile-update.diff
I want somebody to test this before it gets committed to the tree.
glibc-2.2.5 (was not patched) damnit dude. can you attach the actual ebuilds. File to patch: glibc-2.3.2-r12.ebuild glibc-2.3.2-r12.ebuild: No such file or directory Skip this patch? [y] etc. ...or at least diffs between ebuilds? Damnit what? I'm not in the mood to take shit from you or anybody else. I'm not attaching a bunch of little files. I can attach a tarball. Or you can do the same darn thing I did. I added the patches to every ebuild in roughly the same spot. If you would of not touched the glibc like you said you wouldnt till this security problem was resolved it would of patched clean. Created attachment 41323 [details]
glibc ebuilds tarball
sys-libs/glibc tarball
...my bad. the patch has been added in cvs. ...has it been submitted upstream? I am updating to sys-libs/glibc-2.3.3.20040420-r2 from sys-libs/glibc-2.3.3.20040420-r1. Several times now, the build routine has been broken and mentions a stack smashing attack. CPP='gcc -E -x c-header' /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/elf/ld-linux.so.2 --library-path /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/math:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/elf:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/dlfcn:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nss:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nis:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/rt:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/resolv:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/crypt:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nptl /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcgen -Y ../scripts -c rpcsvc/bootparam_prot.x -o /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/xbootparam_prot.T rpcgen: stack smashing attack in function __guard_setup() .././scripts/mkinstalldirs /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcsvc .././scripts/mkinstalldirs /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcsvc mkdir /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcsvc make[2]: *** [/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/xbootparam_prot.stmp] Aborted make[2]: *** Waiting for unfinished jobs.... make[2]: *** Waiting for unfinished jobs.... CPP='gcc -E -x c-header' /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/elf/ld-linux.so.2 --library-path /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/math:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/elf:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/dlfcn:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nss:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nis:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/rt:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/resolv:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/crypt:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nptl /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcgen -Y ../scripts -c rpcsvc/nlm_prot.x -o /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/xnlm_prot.T rpcgen: stack smashing attack in function __guard_setup() make[2]: *** Waiting for unfinished jobs.... make[2]: *** Waiting for unfinished jobs.... CPP='gcc -E -x c-header' /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/elf/ld-linux.so.2 --library-path /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/math:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/elf:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/dlfcn:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nss:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nis:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/rt:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/resolv:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/crypt:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nptl /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcgen -Y ../scripts -h rpcsvc/bootparam_prot.x -o /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcsvc/bootparam_prot.T rpcgen: stack smashing attack in function __guard_setup() make[2]: *** Waiting for unfinished jobs.... CPP='gcc -E -x c-header' /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/elf/ld-linux.so.2 --library-path /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/math:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/elf:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/dlfcn:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nss:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nis:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/rt:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/resolv:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/crypt:/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/nptl /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcgen -Y ../scripts -h rpcsvc/nlm_prot.x -o /var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcsvc/nlm_prot.T rpcgen: stack smashing attack in function __guard_setup() make[2]: *** Waiting for unfinished jobs.... make[2]: *** [/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/xnlm_prot.stmp] Aborted make[2]: *** [/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2/buildhere/sunrpc/rpcsvc/bootparam_prot.stmp] Aborted make[1]: *** [sunrpc/others] Error 2 make[1]: Leaving directory `/var/tmp/portage/glibc-2.3.3.20040420-r2/work/glibc-2.3.2' make: *** [all] Error 2 !!! ERROR: sys-libs/glibc-2.3.3.20040420-r2 failed. !!! Function src_compile, Line 592, Exitcode 2 !!! (no error message) I have never had this problem building glibc before. Here is the portage information: Portage 2.0.50-r11 (default-x86-2004.2, gcc-3.3.4, glibc-2.3.3.20040420-r1, 2.6.8-gentoo-r3) ================================================================= System uname: 2.6.8-gentoo-r3 i686 Pentium III (Katmai) Gentoo Base System version 1.4.16 distcc 2.16 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [enabled] Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.5-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O3 -march=pentium3 -mcpu=pentium3 -fprefetch-loop-arrays -fomit-frame-pointer -pipe -ftracer -fstack-protector" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -march=pentium3 -mcpu=pentium3 -fprefetch-loop-arrays -fomit-frame-pointer -pipe -ftracer -fstack-protector" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs buildpkg ccache distcc fixpackages sandbox strict" GENTOO_MIRRORS="ftp://localhost/linux/gentoo ftp://mirrors.tds.net/gentoo http://mirrors.tds.net/gentoo http://gentoo.mirrors.pair.com/ http://mirror.datapipe.net/gentoo" MAKEOPTS="-j8" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.us.gentoo.org/gentoo-portage" USE="apm arts avi berkdb bitmap-fonts cjk crypt cups encode foomaticdb gdbm gif gpm gtk2 imlib jpeg justify kde libg++ libwww mad mikmod mmx mpeg ncurses nls nptl oggvorbis opengl oss pam parse-clocks pdflib perl pic png python qt quicktime readline sdl slang spell sse ssl tcpd truetype unicode x86 xml2 xmms xprint xv zlib" that does not have to do w/ this bug, remove -fstack-protector from CFLAGS/CXXFLAGS. If you want a hardened setup, use the hardened use flag instead (and rebuild gcc) The upgrade from glibc-2.3.3.20040420-r1 to r2 makes things segmentation fault. :( Recompiling those applications doesn't solve it. nxsty@Isidor nxsty $ xmms Segmenteringsfel nxsty@Isidor nxsty $ mplayer Segmenteringsfel X doesn't start either. Portage 2.0.50-r11 (default-x86-2004.2, gcc-3.4.1, glibc-2.3.3.20040420-r2, 2.6.9-rc3-ck2) ================================================================= System uname: 2.6.9-rc3-ck2 i686 AMD Athlon(tm) XP 2800+ Gentoo Base System version 1.4.16 Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.5-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=athlon-xp -pipe -fomit-frame-pointer -ffast-math -g0 -DNO_DEBUG -DNDEBUG" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -pipe -fomit-frame-pointer -ffast-math -g0 -DNO_DEBUG -DNDEBUG -fvisibility-inlines-hidden -fno-enforce-eh-specs" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox" GENTOO_MIRRORS="http://mirror.pudas.net/gentoo ftp://ftp.rhnet.is/pub/gentoo/ ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ http://ftp.rhnet.is/pub/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow X aalib alsa apm avi berkdb bitmap-fonts caps cdr crypt dga dvd dvdr encode esd esound f77 fbcon foomaticdb gdbm gif gnome gphoto2 gpm gtk gtk2 imlib jack jack-tmpfs java jpeg libg++ libwww linguas_sv mad mikmod mmx mng motif mozilla mpeg ncurses nls nptl objc offensive oggvorbis opengl pam pdflib perl pic png pnp python qt quicktime readline samba sdl slang spell sse ssl svg svga tcpd tiff truetype unicode usb userlocales video_cards_radeon x86 xine xml xml2 xmms xprint xv xvid zlib" Ignore my previous post. The problems where probably caused by some weird filesystem error trigered by my glibc update. There is a lot of xfs changes in 2.6.9-rc* and I use xfs on my / so I should report this to lkml instead. Using -DNDEBUG in CFLAGS is a really bad idea. Don't do it. Your opening yourself to all sorts of holes and we wont take anything you report seriously. so... what does upstream think/say about this patch? lewk? This issue still exists in the current libc cvs tree, and I have been unable to find any news regarding this issue on any of their mailing lists. I'm pretty sure this issue never made it upstream from Trustix, so I helped. http://sources.redhat.com/bugzilla/show_bug.cgi?id=446 Upstream shot down patch because there wasn't enough information about what exactly the problems that the patch fixes are. I don't know much more about the patches, so I couldn't put anything else really. Well, that was a waste of time. Toolchain, it's your call what to do next. This is CAN-2004-0968 In cvs, keywords maintained, upstream looks ok (from RedHat bug) : This is all ready for a GLSA. GLSA 200410-19 |