Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 341755 (CVE-2010-3847) - <sys-libs/glibc-2.11.2-r3 Local privilege escalations (CVE-2010-{3847,3856})
Summary: <sys-libs/glibc-2.11.2-r3 Local privilege escalations (CVE-2010-{3847,3856})
Status: RESOLVED FIXED
Alias: CVE-2010-3847
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: http://seclists.org/fulldisclosure/20...
Whiteboard: A1 [glsa]
Keywords:
: 342327 342653 342685 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-10-19 11:15 UTC by Hanno Böck
Modified: 2011-10-08 14:11 UTC (History)
19 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Build log (glibc-2.11.2-r2:20101029-070748.log.bz2,167.69 KB, text/plain)
2010-10-29 07:31 UTC, Agostino Sarubbo
no flags Details
build.log (glibc-build.log,786.63 KB, text/plain)
2010-11-01 10:08 UTC, Christian Faulhammer (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2010-10-19 11:15:35 UTC
Local root exploit. The fix is here:
http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html
Comment 1 Hanno Böck gentoo-dev 2010-10-19 12:17:15 UTC
I tried to reproduce the exploit on my system and it failed. The reason seems to be that our suid-executables are not readable by a normal user.
Though I don't know if the attack could be modified to still apply to our system, so we should still incorporate the upstream-patch.
Comment 2 SpanKY gentoo-dev 2010-10-19 20:04:46 UTC
i reported an exploit in virtualbox due to this, but we changed vbox to not use $ORIGIN and we updated the PM to abort on set*id with $ORIGIN in RPATH.  there are no packages in Gentoo that are affected by that code path now.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-10-20 05:38:27 UTC
Hanno, please stop putting things into the whiteboard if you cannot do it properly.

(In reply to comment #2)
>there are no packages in Gentoo that are affected by that code path now.
> 

Okay, that's a good start. What's your plan for bumping/fixing/stabilizing?
Comment 4 SpanKY gentoo-dev 2010-10-23 20:58:23 UTC
*** Bug 342327 has been marked as a duplicate of this bug. ***
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2010-10-23 22:54:57 UTC
If it helps any, I found these patches just now, both from Andreas Schwab at
Red Hat:

    CVE-2010-3847, $ORIGIN Issue
    http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html

    CVE-2010-3856, LD_AUDIT issue
    http://sourceware.org/ml/libc-hacker/2010-10/msg00010.html
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-24 12:42:40 UTC
Is someone working on this? Target delay is 3 days for an A1 vulnerability.
Comment 7 SpanKY gentoo-dev 2010-10-24 15:47:34 UTC
in all practicality, i dont think there are set*id bins installed in Gentoo which would allow this due to our default usage of FEATURES=sfperms as Hanno pointed out in comment #2
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-10-24 15:56:15 UTC
(In reply to comment #7)
> in all practicality, i dont think there are set*id bins installed in Gentoo
> which would allow this due to our default usage of FEATURES=sfperms as Hanno
> pointed out in comment #2
> 

That might be covering for the $ORIGIN issue.
We are however indeed vulnerable to CVE-2010-3856. (see the PoC posted to f-d; I could reproduce the issue on ~amd64: http://seclists.org/fulldisclosure/2010/Oct/344)

As we are indeed susceptible to the latter issue, please prepare updated packages. I suggest you also include the $ORIGIN fix. Thanks.
Comment 9 Francisco Blas Izquierdo Riera gentoo-dev 2010-10-24 16:10:24 UTC
About setuid not being readable I have a nice counterexample I found on my system from the fcron package:
-rwsr-sr-x 1 root fcron        26656 ago 17 21:11 /usr/bin/fcronsighup

I have made a small script to show the files which are setuid for root and world readable: "find / -perm -4004 -type f -user root | xargs ls -l".
Comment 10 Andrey Batyiev 2010-10-24 22:50:41 UTC
(In reply to comment #9)
> I have made a small script to show the files which are setuid for root and
> world readable: "find / -perm -4004 -type f -user root | xargs ls -l".
> 

One more:

-rwsr-xr-- 1 root sbox 474149 Авг  9 16:43 /opt/scratchbox/sbin/chroot-uid

Well, it's limited to sbox group, but it's playing with fire.
Comment 11 frank 2010-10-25 09:30:16 UTC
following these instruction:

http://blog.funtoo.org/2010/10/security-update-glibc-2101-r2.html

suggest that my hardened servers with sys-libs/glibc-2.11.2 are vulnerable...
Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-10-25 11:31:46 UTC
bug 342619 contains a patch to fix our unsecvar stuff, related to these issues.
Comment 13 Alexey 2010-10-25 17:59:53 UTC
When it fixed in stable portage?
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-10-25 18:11:41 UTC
*** Bug 342653 has been marked as a duplicate of this bug. ***
Comment 15 Matt 2010-10-25 18:30:45 UTC
there's an ebuild in the funtoo-tree - maybe we could borrow parts from that ?

http://blog.funtoo.org/2010/10/security-update-glibc-2101-r2.html
Comment 16 Hugo Mildenberger 2010-10-26 02:15:17 UTC
(In reply to comment #9)
> I have made a small script to show the files which are setuid for root and
> world readable: "find / -perm -4004 -type f -user root | xargs ls -l".
> 

Your script also found these two programs, belonging to net-misc/netkit-rsh:
-rwsr-xr-x 1 root root 18504  7. Apr 2009  /usr/bin/rlogin
-rwsr-xr-x 1 root root 14408  7. Apr 2009  /usr/bin/rsh
Comment 17 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-10-26 04:09:46 UTC
*** Bug 342685 has been marked as a duplicate of this bug. ***
Comment 18 SpanKY gentoo-dev 2010-10-26 05:32:01 UTC
sounds more like you guys arent using FEATURES=sfperms

i have netkit-rsh installed from 2008 and it looks fine:
-rws--x--x 1 root root 19064 Mar 29  2008 /usr/bin/rcp
-rws--x--x 1 root root 14904 Mar 29  2008 /usr/bin/rlogin
-rws--x--x 1 root root 14832 Mar 29  2008 /usr/bin/rsh

and a re-emerge of today shows correct behavior still:
>>> Installing (1 of 1) net-misc/netkit-rsh-0.17-r9
 * >>> SetUID: [chmod go-r] /usr/bin/rcp ...    [ ok ]
 * >>> SetUID: [chmod go-r] /usr/bin/rsh ...    [ ok ]
 * >>> SetUID: [chmod go-r] /usr/bin/rlogin ... [ ok ]

same for fcron:
 * >>> SetUID and SetGID: [chmod o-r] /usr/bin/fcrondyn ...    [ ok ]
 * >>> SetUID and SetGID: [chmod o-r] /usr/bin/fcronsighup ... [ ok ]
 * >>> SetUID and SetGID: [chmod o-r] /usr/bin/fcrontab ...    [ ok ]
Comment 19 Xake 2010-10-26 06:15:13 UTC
(In reply to comment #18)
> sounds more like you guys arent using FEATURES=sfperms

I have FEATURES="sfperms", but still:

>>> Installing (1 of 1) sys-process/fcron-3.0.6-r1
 * >>> SetUID and SetGID: [chmod o-r] /usr/bin/fcrontab 
 * >>> SetUID and SetGID: [chmod o-r] /usr/bin/fcrondyn 
 * >>> SetUID and SetGID: [chmod o-r] /usr/bin/fcronsighup 

# emerge --info
Portage 2.2_rc99 (hardened/linux/amd64/10.0, gcc-4.4.5, glibc-2.12.1-r1, 2.6.35-hardened-r5 x86_64)
=================================================================
System uname: Linux-2.6.35-hardened-r5-x86_64-Intel-R-_Core-TM-_i7_CPU_920_@_2.67GHz-with-gentoo-2.0.1
Timestamp of tree: Mon, 25 Oct 2010 09:00:02 +0000
distcc 3.1 x86_64-pc-linux-gnu [disabled]
ccache version 2.4 [disabled]
app-shells/bash:     4.1_p9
dev-java/java-config: 2.1.11-r1
dev-lang/python:     2.6.6-r1, 3.1.2-r4::Mine!
dev-util/ccache:     2.4-r8
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.6.3
sys-apps/sandbox:    2.3-r1
sys-devel/autoconf:  2.13, 2.68
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.5
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.82
virtual/os-headers:  2.6.35 (sys-kernel/linux-headers)
Repositories: gentoo hardened-dev gamerlay-stable x11 mozilla Mine
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe -ggdb -mtune=native"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O2 -pipe -ggdb -mtune=native"
DISTDIR="/var/portage/distfiles"
FEATURES="assume-digests binpkg-logs buildpkg distlocks fixlafiles fixpackages metadata-transfer news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict test unknown-features-warn unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://ftp.sunet.se/pub/os/Linux/distributions/gentoo"
LANG="sv_SE.UTF-8"
LC_ALL="C"
LDFLAGS="-Wl,--as-needed -Wl,-O1 -Wl,--sort-common -Wl,--warn-once,--hash-style=gnu"
LINGUAS="sv en"
MAKEOPTS="-j10 -l10"
PKGDIR="/var/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/var/portage"
PORTDIR_OVERLAY="/var/overlays/layman/hardened-development /var/overlays/layman/gamerlay /var/overlays/layman/x11 /var/overlays/layman/mozilla /var/overlays/mine"
SYNC="rsync://liten.csbnet.se/gentoo-portage"
USE="X a52 aac accessibility acl acpi alsa amd64 amr amrnb amrwb applet archive asyncns auto-hinter avahi bash-completion bluetooth branding bzip2 cairo ccache cdaudio cdda cdr cleartype cli connection-sharing consolekit coverart cracklib crypt cups cxx dbus device-mapper devicekit devkit dhcpcd digitalradio djvu dri dts dvd dvdr dvi eds enca encode eselect evo exif faac faad fat fbcondecor ffmpeg fftw flac fontconfig fuse gdbm gdm gdu gif gimp glib gmp gnome gnome-keyring gphoto2 gpm grammar graphite gsf gsm gstreamer gtk gudev hal hardened hpn ical iconv iconvacl icq icu id3tag idn ieee1394 iptc ipv6 ithreads jabber jack java6 jingle jpeg jpeg2k justify kate kvm lcms libffi libnotify libsamplerate logrotate lvm lvm2 lzma mad maps math matroska md mdadm midi mms mmx mmxext mng moonlight mp2 mp3 mpeg mpi msn mtp mudflap multilib musepack musicbrainz nautilus ncurses network-cron networkmanager nfs nls nntp nptl nptlonly ntfs offensive ogg openal opencore-amr opengl openmp openntpd ots pam pango parted pcre pdf perl pic pidgin playlist png policykit pppd pulseaudio python quicktime raw readline rrdcgi rtmp samba schroedinger sensord session smp sms speex spell sse sse2 sse3 ssl ssse3 startup-notification subversion svg sysfs test tex theora thesaurus threads tiff totem truetype udev unicode upnp urandom usb userlocales v4l2 vaapi vhook videos vim-syntax vorbis webkit wmf x264 xcb xcomposite xmp xmpp xorg xrandr xscreensaver xulrunner xv xvid xvmc zeroconf zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="sv en" PHP_TARGETS="php5-2" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 20 SpanKY gentoo-dev 2010-10-26 06:27:49 UTC
there is no "but still".  your output shows sfperms doing its job.

a3li pointed out that sfperms isnt the default on most non-hardened systems.  i thought it was.  i'll get that fixed.
Comment 21 Andrew Savchenko gentoo-dev 2010-10-26 06:57:09 UTC
(In reply to comment #20)
> there is no "but still".  your output shows sfperms doing its job.

1) sfperms is not a reliable solution. Current exploit is only example and more problems may occur in future if environment variables will not be sanitized.

2) In spite of sfperms use flag, glibc is still vulnerable to 
CVE-2010-3856 and this should be fixed ASAP.
Comment 22 SpanKY gentoo-dev 2010-10-26 07:27:27 UTC
no one said sfperms was going to fix everything.  it does however prevent CVE-2010-3847 and will probably head off bugs in the future where read access to the set*id binary is required.

upstream has not changed any of their $ORIGIN handling, and Gentoo does not allow set*id binaries to be installed with RPATH's set to $ORIGIN.  so that isnt an issue.

i have added the patch for LD_AUDIT since upstream has merged that.  considering CVE-2010-3847 only exists due to the LD_AUDIT issue, i dont see anything else that needs to be merged in glibc.
Comment 23 Hanno Böck gentoo-dev 2010-10-26 08:05:04 UTC
"upstream has not changed any of their $ORIGIN handling, and Gentoo does not
allow set*id binaries to be installed with RPATH's set to $ORIGIN.  so that
isnt an issue."

What about stuff manually installed in /usr/local ? I think while sfperms is a useful security measure, we cannot rely on it.
Comment 24 frank 2010-10-26 08:24:23 UTC
sfperms dosen't have any effect on my hardened system:

$ emerge --info|grep sfperms
FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"

$ umask 0 && LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="lolwhat" /bin/mount
ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit interface: undefined symbol: la_version; ignored.
/dev/sda5 on / type ext3 (rw,noatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
udev on /dev type tmpfs (rw,nosuid,relatime,size=10240k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620)
shm on /dev/shm type tmpfs (rw,noexec,nosuid,nodev)
/dev/sdb1 on /mnt/backup type ext3 (rw)
/dev/sda7 on /var type ext3 (rw,noatime)
/dev/sda6 on /tmp type ext3 (rw,noexec,noatime)

$ ls -l lolwhat 
-rw-rw-rw- 1 root skunk 4 Oct 26 10:20 lolwhat
Comment 25 SpanKY gentoo-dev 2010-10-26 09:20:19 UTC
tove corrected me ... we've already been setting sfperms for years via portage and make.globals.  so if you have FEATURES=-sfperms in your make.conf, that's an error on your part.

once again, i never said sfperms solved everything.  of course people installing their own crap outside of the PM will not be handled.

frank: useless comment.  read what i already said.
Comment 26 frank 2010-10-26 10:25:28 UTC
sorry, nerviously waiting for a LD_AUDIT fix...
Comment 27 Rafal Kupiec 2010-10-26 11:14:30 UTC
http://dev.belliash.eu.org/glibc/

Here You can find all patches required as well as ebuilds that were tested by me and few friends. You can use it since fix goes into portage tree. This fixes both CVE-2010-3847 and CVE-2010-3856 and causes no problems so far.

This solution differs from one presented by Funtoo developers, since they decided to completelly disable LM_AUDIT and patches applied here enables the treatment of LD_AUDIT as LD_PRELOAD does.
Comment 28 Francisco Blas Izquierdo Riera gentoo-dev 2010-10-26 12:00:19 UTC
I do have sfperm enabled (jus checked) and fcron still bypassed it when installed, maybe because when I installed this system and emerged fcron that feature wasn't still set.

So you can't say, we have sfperm the bug won't affect us, because it can affect anybody with packages built before sfperm was added to features.
Comment 29 SpanKY gentoo-dev 2010-10-26 15:04:07 UTC
glibc-2.11.2-r2 and glibc-2.12.1-r2 in the tree with the LD_AUDIT fix
Comment 30 Tobias Heinlein (RETIRED) gentoo-dev 2010-10-27 19:08:32 UTC
Arches, please test and mark stable:
=sys-libs/glibc-2.11.2-r2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"



To summarize what happened:
- The LD_AUDIT patch has been merged upstream and is also contained in the version to be stabilized above.
- The $ORIGIN patch has not (yet) been merged upstream and we will wait for a decision.

Comment 31 Tobias Heinlein (RETIRED) gentoo-dev 2010-10-27 19:09:13 UTC
Added all arches now.
Comment 32 Jeroen Roovers (RETIRED) gentoo-dev 2010-10-28 21:37:16 UTC
Stable for HPPA.
Comment 33 Markos Chandras (RETIRED) gentoo-dev 2010-10-29 00:16:26 UTC
amd64 done
Comment 34 Mark Loeser (RETIRED) gentoo-dev 2010-10-29 00:33:48 UTC
ppc64 done
Comment 35 Agostino Sarubbo gentoo-dev 2010-10-29 07:31:44 UTC
Created attachment 252459 [details]
Build log

Portage 2.1.9.22 (default/linux/amd64/10.0, gcc-4.4.4, glibc-2.11.2-r0, 2.6.36-gentoo x86_64)
=================================================================
System uname: Linux-2.6.36-gentoo-x86_64-Intel-R-_Pentium-R-_Dual_CPU_E2160_@_1.80GHz-with-gentoo-2.0.1
Timestamp of tree: Thu, 28 Oct 2010 21:30:01 +0000
app-shells/bash:     4.1_p7
dev-java/java-config: 2.1.11
dev-lang/python:     2.6.5-r3, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.6.3
sys-apps/sandbox:    2.3-r1
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.4-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -O2"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=core2 -O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs collision-protect distlocks fixlafiles fixpackages multilib-strict news parallel-fetch protect-owned sandbox sfperms split-log splitdebug strict test unknown-features-warn unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="it_IT.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
LINGUAS="it"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://134.68.240.40/gentoo-portage"
USE="X acl acpi alsa amd64 apache2 assistant bash-completion berkdb bindist bzip2 cli cracklib crypt custom-cflags custom-optimization cxx dbus dri extras fortran gdbm gpm gstreamer gtk hal iconv icu java jpeg jpeg2k kde ldap libnotify mmx modules mozdom mp3 mudflap multilib ncurses networkmanager nls nptl nptlonly nsplugin nsplugindbus opengl openmp pam pcre perl pm-utils png pppd python qt3support qt4 readline secure-delete session sse sse2 ssl startup-notification svg symlink sysfs system-sqlite tcpd test threads tiff unicode utils vorbis wifi xorg zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="it" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 36 Agostino Sarubbo gentoo-dev 2010-10-29 08:11:03 UTC
now the compilation is successful
Comment 37 Andrew Savchenko gentoo-dev 2010-10-29 14:28:46 UTC
(In reply to comment #35)

From your build log it is clear that you got ICE, so this is either your toolchain problem or hardware issue.
Comment 38 Jeroen Roovers (RETIRED) gentoo-dev 2010-10-29 15:19:29 UTC
Stable for PPC.
Comment 39 Markus Meier gentoo-dev 2010-10-30 10:05:34 UTC
x86 stable
Comment 40 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-10-31 21:10:23 UTC
Tavis confirmed in #gentoo-security that sfperms is not suitable as an alternative fix:

20:43:49 < taviso> If you read the notes section (Search for "Notes"), I described an alternative technique using pipes that does not require read permission.
20:43:52 < taviso> (And to be clear, a binary does _not_ have to use $ORIGIN in DT_RPATH or DT_RUNPATH).

In order to get this finally fixed, arches, please stabilize =glibc-2.11.2-r3 which contains an additional patch that was accepted by upstream. Sorry for the double work.
Comment 41 Markos Chandras (RETIRED) gentoo-dev 2010-10-31 23:02:01 UTC
amd64 done
Comment 42 Milos Ivanovic 2010-11-01 04:04:53 UTC
(In reply to comment #39)
> x86 stable
> 

amd64 is currently the only stable arch. Am I too eager? Or did you perhaps miss committing changes?

Thanks.
Comment 43 Francisco Blas Izquierdo Riera gentoo-dev 2010-11-01 04:12:25 UTC
#42 there has been rolled a new patch so the stable versions before comment #40 don't count.
Comment 44 Christian Faulhammer (RETIRED) gentoo-dev 2010-11-01 10:08:15 UTC
Created attachment 252771 [details]
build.log

Build failure with USE="gd glibc-omitfp nls vanilla -debug -profile", but it also happens with -r2, so no regression.

Portage 2.1.8.3 (default/linux/x86/10.0/desktop, gcc-4.4.4, glibc-2.11.2-r2, 2.6.35-gentoo-r11 i686)
=================================================================
System uname: Linux-2.6.35-gentoo-r11-i686-AMD_Athlon-tm-_X2_Dual_Core_Processor_BE-2400-with-gentoo-1.12.13
Timestamp of tree: Mon, 01 Nov 2010 07:00:01 +0000
distcc 3.1 i686-pc-linux-gnu [disabled]
ccache version 2.4 [enabled]
app-shells/bash:     4.1_p7
dev-java/java-config: 2.1.11
dev-lang/python:     2.6.5-r3, 3.1.2-r4
dev-util/ccache:     2.4-r7
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    2.3-r1
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.4_p6-r1, 1.5-r1, 1.6.3-r1, 1.7.9-r2, 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.3.4, 4.4.4-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="*"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=athlon-xp -pipe -msse3"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config /usr/lib/fax /usr/share/X11/xkb /usr/share/config /var/bind /var/lib/hsqldb /var/spool/fax/etc /var/spool/torque"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/games/angband/edit/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=athlon-xp -pipe -msse3"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests ccache distlocks fixpackages metadata-transfer news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="de_DE.utf8"
LC_ALL="de_DE.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
LINGUAS="de"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X a52 aac aiglx alsa applet artworkextra asf astribank audiofile bash-completion berkdb bidi bluetooth bogofilter bootsplash branding bzip2 cairo ccache cdda cddb cdparanoia cdr cli compat console consolekit cracklib crypt css cups curl custom-cflags cxx dbus deskbar dga directfb divx4linux dri dts dvd dvdr dvdread dvi emacs emboss encode evince exif extensions fam fat fbcon fbcondecor fdftk ffmpeg foomaticdb fortran ftp gb gcj gdbm gif glitz gphoto2 gpm gsf gtk gtk2 gtkhtml hal howl iconv icq idn imagemagick imlib ipv6 java javascript jpeg jpeg2k kde kpathsea libnotify libotf lirc lm_sensors mad matroska melt mikmod mime mjpeg mmx mmxext mng modules mp3 mp4 mpeg mpeg2 mudflap mule mysql nautilus ncurses nforce2 nls noaudio nocardbus novideo nowebdav nptl nptlonly nss nvidia objc objc++ objc-gc ocamlopt offensive ogg opengl openmp pam pango passwordsave pcre pdf perl plotutils pmu png policykit ppds pppd prediction preview-latex print publishers python qt-static qt3support qt4 readline run-as-root samba sdk sdl secure-delete semantic-desktop session slang smp spell sse ssl startup-notification static-analyzer svg svga sysfs t1lib tcpd theora threads thumbnailing tiff tk toolkit-scroll-bars totem truetype truetype-fonts type1-fonts udev unicode usb userlocales vcd videos vorbis win32codecs wmf wxwindows x264 x86 xcb xface xft xml xorg xosd xpm xulrunner xv xvid zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" LIRC_DEVICES="atiusb" PHP_TARGETS="php5-2" RUBY_TARGETS="jruby ruby18 ree18" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 45 Tobias Klausmann (RETIRED) gentoo-dev 2010-11-01 12:18:07 UTC
Stable on alpha.
Comment 46 Christian Faulhammer (RETIRED) gentoo-dev 2010-11-01 13:24:28 UTC
x86 stable
Comment 47 Mark Loeser (RETIRED) gentoo-dev 2010-11-01 17:23:20 UTC
ppc64 done
Comment 48 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-01 19:53:05 UTC
Stable for HPPA PPC.
Comment 49 Markus Meier gentoo-dev 2010-11-03 21:05:50 UTC
arm stable
Comment 50 SpanKY gentoo-dev 2010-11-09 13:21:08 UTC
i have no idea why -r3 was published for glibc.  -r2 is sufficient for the security issues raised here.
Comment 51 Hanno Böck gentoo-dev 2010-11-09 14:09:54 UTC
vapier, -r2 only fixes CVE-2010-3856, -r3 also fixes CVE-2010-3847 and as statet in comment #40, unlike thoght before the permissions don't save us. So glibc-2.11.2-r3 is the only version fixing both issues for good.
Comment 52 Raúl Porcel (RETIRED) gentoo-dev 2010-11-09 19:53:30 UTC
ia64/sh/sparc stable, s390 will pass because it follows IBM's recommended glibc versions
Comment 53 SpanKY gentoo-dev 2010-11-09 23:20:08 UTC
comment #40 has no bearing at all on $ORIGIN.  the point was that LD_AUDIT is broken.  that is fixed in -r2.  so no, comment #40 is not justification for -r3.
Comment 54 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-11-10 00:29:10 UTC
<taviso> Honoome: fyi, i looked at the patch vapier applied to verify. He applied the patch that verifies the audit library has the suid bit set. The check specifically is `st.st_mode & S_ISUID) == 0` must be false...this only works if the other issue is fixed, because it assumes you cant add code to the trusted library search path. Because we can control $ORIGIN, we simply replace it with a DSO, set the suid bit (there is no check on uid), and then let
<taviso> The patch for the suid bit is important, but it only works (or makes sense) with the dst expansion fix.

So we do need -r3, not -r2. Given Tavis is the one who found the bug, I guess we can safely accept his opinion in merit, no?
Comment 55 SpanKY gentoo-dev 2010-11-10 04:00:15 UTC
in other words, the *dst patch* is necessary to fully fix things.  the $ORIGIN should not have been merged per my previous comments (like comment #22).  exploiting that is trivial (simply see Bug 260331).

so ive punted the $ORIGIN patch that isnt being merged upstream
Comment 56 Tobias Heinlein (RETIRED) gentoo-dev 2010-11-15 21:33:55 UTC
This is GLSA 201011-01, thanks everyone, and sorry about the delay.
Comment 57 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 14:11:36 UTC
CVE-2010-3856 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3856):
  ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x
  before 2.12.2, does not properly restrict use of the LD_AUDIT environment
  variable to reference dynamic shared objects (DSOs) as audit objects, which
  allows local users to gain privileges by leveraging an unsafe DSO located in
  a trusted library directory, as demonstrated by libpcprofile.so.

CVE-2010-3847 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3847):
  elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through
  2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of
  $ORIGIN for the LD_AUDIT environment variable, which allows local users to
  gain privileges via a crafted dynamic shared object (DSO) located in an
  arbitrary directory.