Local root exploit. The fix is here: http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html
I tried to reproduce the exploit on my system and it failed. The reason seems to be that our suid-executables are not readable by a normal user. Though I don't know if the attack could be modified to still apply to our system, so we should still incorporate the upstream-patch.
i reported an exploit in virtualbox due to this, but we changed vbox to not use $ORIGIN and we updated the PM to abort on set*id with $ORIGIN in RPATH. there are no packages in Gentoo that are affected by that code path now.
Hanno, please stop putting things into the whiteboard if you cannot do it properly. (In reply to comment #2) >there are no packages in Gentoo that are affected by that code path now. > Okay, that's a good start. What's your plan for bumping/fixing/stabilizing?
*** Bug 342327 has been marked as a duplicate of this bug. ***
If it helps any, I found these patches just now, both from Andreas Schwab at Red Hat: CVE-2010-3847, $ORIGIN Issue http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html CVE-2010-3856, LD_AUDIT issue http://sourceware.org/ml/libc-hacker/2010-10/msg00010.html
Is someone working on this? Target delay is 3 days for an A1 vulnerability.
in all practicality, i dont think there are set*id bins installed in Gentoo which would allow this due to our default usage of FEATURES=sfperms as Hanno pointed out in comment #2
(In reply to comment #7) > in all practicality, i dont think there are set*id bins installed in Gentoo > which would allow this due to our default usage of FEATURES=sfperms as Hanno > pointed out in comment #2 > That might be covering for the $ORIGIN issue. We are however indeed vulnerable to CVE-2010-3856. (see the PoC posted to f-d; I could reproduce the issue on ~amd64: http://seclists.org/fulldisclosure/2010/Oct/344) As we are indeed susceptible to the latter issue, please prepare updated packages. I suggest you also include the $ORIGIN fix. Thanks.
About setuid not being readable I have a nice counterexample I found on my system from the fcron package: -rwsr-sr-x 1 root fcron 26656 ago 17 21:11 /usr/bin/fcronsighup I have made a small script to show the files which are setuid for root and world readable: "find / -perm -4004 -type f -user root | xargs ls -l".
(In reply to comment #9) > I have made a small script to show the files which are setuid for root and > world readable: "find / -perm -4004 -type f -user root | xargs ls -l". > One more: -rwsr-xr-- 1 root sbox 474149 Авг 9 16:43 /opt/scratchbox/sbin/chroot-uid Well, it's limited to sbox group, but it's playing with fire.
following these instruction: http://blog.funtoo.org/2010/10/security-update-glibc-2101-r2.html suggest that my hardened servers with sys-libs/glibc-2.11.2 are vulnerable...
bug 342619 contains a patch to fix our unsecvar stuff, related to these issues.
When it fixed in stable portage?
*** Bug 342653 has been marked as a duplicate of this bug. ***
there's an ebuild in the funtoo-tree - maybe we could borrow parts from that ? http://blog.funtoo.org/2010/10/security-update-glibc-2101-r2.html
(In reply to comment #9) > I have made a small script to show the files which are setuid for root and > world readable: "find / -perm -4004 -type f -user root | xargs ls -l". > Your script also found these two programs, belonging to net-misc/netkit-rsh: -rwsr-xr-x 1 root root 18504 7. Apr 2009 /usr/bin/rlogin -rwsr-xr-x 1 root root 14408 7. Apr 2009 /usr/bin/rsh
*** Bug 342685 has been marked as a duplicate of this bug. ***
sounds more like you guys arent using FEATURES=sfperms i have netkit-rsh installed from 2008 and it looks fine: -rws--x--x 1 root root 19064 Mar 29 2008 /usr/bin/rcp -rws--x--x 1 root root 14904 Mar 29 2008 /usr/bin/rlogin -rws--x--x 1 root root 14832 Mar 29 2008 /usr/bin/rsh and a re-emerge of today shows correct behavior still: >>> Installing (1 of 1) net-misc/netkit-rsh-0.17-r9 * >>> SetUID: [chmod go-r] /usr/bin/rcp ... [ ok ] * >>> SetUID: [chmod go-r] /usr/bin/rsh ... [ ok ] * >>> SetUID: [chmod go-r] /usr/bin/rlogin ... [ ok ] same for fcron: * >>> SetUID and SetGID: [chmod o-r] /usr/bin/fcrondyn ... [ ok ] * >>> SetUID and SetGID: [chmod o-r] /usr/bin/fcronsighup ... [ ok ] * >>> SetUID and SetGID: [chmod o-r] /usr/bin/fcrontab ... [ ok ]
(In reply to comment #18) > sounds more like you guys arent using FEATURES=sfperms I have FEATURES="sfperms", but still: >>> Installing (1 of 1) sys-process/fcron-3.0.6-r1 * >>> SetUID and SetGID: [chmod o-r] /usr/bin/fcrontab * >>> SetUID and SetGID: [chmod o-r] /usr/bin/fcrondyn * >>> SetUID and SetGID: [chmod o-r] /usr/bin/fcronsighup # emerge --info Portage 2.2_rc99 (hardened/linux/amd64/10.0, gcc-4.4.5, glibc-2.12.1-r1, 2.6.35-hardened-r5 x86_64) ================================================================= System uname: Linux-2.6.35-hardened-r5-x86_64-Intel-R-_Core-TM-_i7_CPU_920_@_2.67GHz-with-gentoo-2.0.1 Timestamp of tree: Mon, 25 Oct 2010 09:00:02 +0000 distcc 3.1 x86_64-pc-linux-gnu [disabled] ccache version 2.4 [disabled] app-shells/bash: 4.1_p9 dev-java/java-config: 2.1.11-r1 dev-lang/python: 2.6.6-r1, 3.1.2-r4::Mine! dev-util/ccache: 2.4-r8 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.3 sys-apps/sandbox: 2.3-r1 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.4.5 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.82 virtual/os-headers: 2.6.35 (sys-kernel/linux-headers) Repositories: gentoo hardened-dev gamerlay-stable x11 mozilla Mine ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe -ggdb -mtune=native" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=native -O2 -pipe -ggdb -mtune=native" DISTDIR="/var/portage/distfiles" FEATURES="assume-digests binpkg-logs buildpkg distlocks fixlafiles fixpackages metadata-transfer news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict test unknown-features-warn unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://ftp.sunet.se/pub/os/Linux/distributions/gentoo" LANG="sv_SE.UTF-8" LC_ALL="C" LDFLAGS="-Wl,--as-needed -Wl,-O1 -Wl,--sort-common -Wl,--warn-once,--hash-style=gnu" LINGUAS="sv en" MAKEOPTS="-j10 -l10" PKGDIR="/var/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/var/portage" PORTDIR_OVERLAY="/var/overlays/layman/hardened-development /var/overlays/layman/gamerlay /var/overlays/layman/x11 /var/overlays/layman/mozilla /var/overlays/mine" SYNC="rsync://liten.csbnet.se/gentoo-portage" USE="X a52 aac accessibility acl acpi alsa amd64 amr amrnb amrwb applet archive asyncns auto-hinter avahi bash-completion bluetooth branding bzip2 cairo ccache cdaudio cdda cdr cleartype cli connection-sharing consolekit coverart cracklib crypt cups cxx dbus device-mapper devicekit devkit dhcpcd digitalradio djvu dri dts dvd dvdr dvi eds enca encode eselect evo exif faac faad fat fbcondecor ffmpeg fftw flac fontconfig fuse gdbm gdm gdu gif gimp glib gmp gnome gnome-keyring gphoto2 gpm grammar graphite gsf gsm gstreamer gtk gudev hal hardened hpn ical iconv iconvacl icq icu id3tag idn ieee1394 iptc ipv6 ithreads jabber jack java6 jingle jpeg jpeg2k justify kate kvm lcms libffi libnotify libsamplerate logrotate lvm lvm2 lzma mad maps math matroska md mdadm midi mms mmx mmxext mng moonlight mp2 mp3 mpeg mpi msn mtp mudflap multilib musepack musicbrainz nautilus ncurses network-cron networkmanager nfs nls nntp nptl nptlonly ntfs offensive ogg openal opencore-amr opengl openmp openntpd ots pam pango parted pcre pdf perl pic pidgin playlist png policykit pppd pulseaudio python quicktime raw readline rrdcgi rtmp samba schroedinger sensord session smp sms speex spell sse sse2 sse3 ssl ssse3 startup-notification subversion svg sysfs test tex theora thesaurus threads tiff totem truetype udev unicode upnp urandom usb userlocales v4l2 vaapi vhook videos vim-syntax vorbis webkit wmf x264 xcb xcomposite xmp xmpp xorg xrandr xscreensaver xulrunner xv xvid xvmc zeroconf zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="sv en" PHP_TARGETS="php5-2" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
there is no "but still". your output shows sfperms doing its job. a3li pointed out that sfperms isnt the default on most non-hardened systems. i thought it was. i'll get that fixed.
(In reply to comment #20) > there is no "but still". your output shows sfperms doing its job. 1) sfperms is not a reliable solution. Current exploit is only example and more problems may occur in future if environment variables will not be sanitized. 2) In spite of sfperms use flag, glibc is still vulnerable to CVE-2010-3856 and this should be fixed ASAP.
no one said sfperms was going to fix everything. it does however prevent CVE-2010-3847 and will probably head off bugs in the future where read access to the set*id binary is required. upstream has not changed any of their $ORIGIN handling, and Gentoo does not allow set*id binaries to be installed with RPATH's set to $ORIGIN. so that isnt an issue. i have added the patch for LD_AUDIT since upstream has merged that. considering CVE-2010-3847 only exists due to the LD_AUDIT issue, i dont see anything else that needs to be merged in glibc.
"upstream has not changed any of their $ORIGIN handling, and Gentoo does not allow set*id binaries to be installed with RPATH's set to $ORIGIN. so that isnt an issue." What about stuff manually installed in /usr/local ? I think while sfperms is a useful security measure, we cannot rely on it.
sfperms dosen't have any effect on my hardened system: $ emerge --info|grep sfperms FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" $ umask 0 && LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="lolwhat" /bin/mount ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit interface: undefined symbol: la_version; ignored. /dev/sda5 on / type ext3 (rw,noatime) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) udev on /dev type tmpfs (rw,nosuid,relatime,size=10240k,mode=755) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620) shm on /dev/shm type tmpfs (rw,noexec,nosuid,nodev) /dev/sdb1 on /mnt/backup type ext3 (rw) /dev/sda7 on /var type ext3 (rw,noatime) /dev/sda6 on /tmp type ext3 (rw,noexec,noatime) $ ls -l lolwhat -rw-rw-rw- 1 root skunk 4 Oct 26 10:20 lolwhat
tove corrected me ... we've already been setting sfperms for years via portage and make.globals. so if you have FEATURES=-sfperms in your make.conf, that's an error on your part. once again, i never said sfperms solved everything. of course people installing their own crap outside of the PM will not be handled. frank: useless comment. read what i already said.
sorry, nerviously waiting for a LD_AUDIT fix...
http://dev.belliash.eu.org/glibc/ Here You can find all patches required as well as ebuilds that were tested by me and few friends. You can use it since fix goes into portage tree. This fixes both CVE-2010-3847 and CVE-2010-3856 and causes no problems so far. This solution differs from one presented by Funtoo developers, since they decided to completelly disable LM_AUDIT and patches applied here enables the treatment of LD_AUDIT as LD_PRELOAD does.
I do have sfperm enabled (jus checked) and fcron still bypassed it when installed, maybe because when I installed this system and emerged fcron that feature wasn't still set. So you can't say, we have sfperm the bug won't affect us, because it can affect anybody with packages built before sfperm was added to features.
glibc-2.11.2-r2 and glibc-2.12.1-r2 in the tree with the LD_AUDIT fix
Arches, please test and mark stable: =sys-libs/glibc-2.11.2-r2 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" To summarize what happened: - The LD_AUDIT patch has been merged upstream and is also contained in the version to be stabilized above. - The $ORIGIN patch has not (yet) been merged upstream and we will wait for a decision.
Added all arches now.
Stable for HPPA.
amd64 done
ppc64 done
Created attachment 252459 [details] Build log Portage 2.1.9.22 (default/linux/amd64/10.0, gcc-4.4.4, glibc-2.11.2-r0, 2.6.36-gentoo x86_64) ================================================================= System uname: Linux-2.6.36-gentoo-x86_64-Intel-R-_Pentium-R-_Dual_CPU_E2160_@_1.80GHz-with-gentoo-2.0.1 Timestamp of tree: Thu, 28 Oct 2010 21:30:01 +0000 app-shells/bash: 4.1_p7 dev-java/java-config: 2.1.11 dev-lang/python: 2.6.5-r3, 3.1.2-r4 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.3 sys-apps/sandbox: 2.3-r1 sys-devel/autoconf: 2.13, 2.65-r1 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.4.4-r2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.30-r1 (sys-kernel/linux-headers) ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -O2" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=core2 -O2" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs collision-protect distlocks fixlafiles fixpackages multilib-strict news parallel-fetch protect-owned sandbox sfperms split-log splitdebug strict test unknown-features-warn unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="it_IT.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu" LINGUAS="it" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://134.68.240.40/gentoo-portage" USE="X acl acpi alsa amd64 apache2 assistant bash-completion berkdb bindist bzip2 cli cracklib crypt custom-cflags custom-optimization cxx dbus dri extras fortran gdbm gpm gstreamer gtk hal iconv icu java jpeg jpeg2k kde ldap libnotify mmx modules mozdom mp3 mudflap multilib ncurses networkmanager nls nptl nptlonly nsplugin nsplugindbus opengl openmp pam pcre perl pm-utils png pppd python qt3support qt4 readline secure-delete session sse sse2 ssl startup-notification svg symlink sysfs system-sqlite tcpd test threads tiff unicode utils vorbis wifi xorg zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="it" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
now the compilation is successful
(In reply to comment #35) From your build log it is clear that you got ICE, so this is either your toolchain problem or hardware issue.
Stable for PPC.
x86 stable
Tavis confirmed in #gentoo-security that sfperms is not suitable as an alternative fix: 20:43:49 < taviso> If you read the notes section (Search for "Notes"), I described an alternative technique using pipes that does not require read permission. 20:43:52 < taviso> (And to be clear, a binary does _not_ have to use $ORIGIN in DT_RPATH or DT_RUNPATH). In order to get this finally fixed, arches, please stabilize =glibc-2.11.2-r3 which contains an additional patch that was accepted by upstream. Sorry for the double work.
(In reply to comment #39) > x86 stable > amd64 is currently the only stable arch. Am I too eager? Or did you perhaps miss committing changes? Thanks.
#42 there has been rolled a new patch so the stable versions before comment #40 don't count.
Created attachment 252771 [details] build.log Build failure with USE="gd glibc-omitfp nls vanilla -debug -profile", but it also happens with -r2, so no regression. Portage 2.1.8.3 (default/linux/x86/10.0/desktop, gcc-4.4.4, glibc-2.11.2-r2, 2.6.35-gentoo-r11 i686) ================================================================= System uname: Linux-2.6.35-gentoo-r11-i686-AMD_Athlon-tm-_X2_Dual_Core_Processor_BE-2400-with-gentoo-1.12.13 Timestamp of tree: Mon, 01 Nov 2010 07:00:01 +0000 distcc 3.1 i686-pc-linux-gnu [disabled] ccache version 2.4 [enabled] app-shells/bash: 4.1_p7 dev-java/java-config: 2.1.11 dev-lang/python: 2.6.5-r3, 3.1.2-r4 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 2.3-r1 sys-devel/autoconf: 2.13, 2.65-r1 sys-devel/automake: 1.4_p6-r1, 1.5-r1, 1.6.3-r1, 1.7.9-r2, 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.3.4, 4.4.4-r2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="*" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon-xp -pipe -msse3" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config /usr/lib/fax /usr/share/X11/xkb /usr/share/config /var/bind /var/lib/hsqldb /var/spool/fax/etc /var/spool/torque" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/games/angband/edit/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=athlon-xp -pipe -msse3" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests ccache distlocks fixpackages metadata-transfer news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="de_DE.utf8" LC_ALL="de_DE.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu" LINGUAS="de" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac aiglx alsa applet artworkextra asf astribank audiofile bash-completion berkdb bidi bluetooth bogofilter bootsplash branding bzip2 cairo ccache cdda cddb cdparanoia cdr cli compat console consolekit cracklib crypt css cups curl custom-cflags cxx dbus deskbar dga directfb divx4linux dri dts dvd dvdr dvdread dvi emacs emboss encode evince exif extensions fam fat fbcon fbcondecor fdftk ffmpeg foomaticdb fortran ftp gb gcj gdbm gif glitz gphoto2 gpm gsf gtk gtk2 gtkhtml hal howl iconv icq idn imagemagick imlib ipv6 java javascript jpeg jpeg2k kde kpathsea libnotify libotf lirc lm_sensors mad matroska melt mikmod mime mjpeg mmx mmxext mng modules mp3 mp4 mpeg mpeg2 mudflap mule mysql nautilus ncurses nforce2 nls noaudio nocardbus novideo nowebdav nptl nptlonly nss nvidia objc objc++ objc-gc ocamlopt offensive ogg opengl openmp pam pango passwordsave pcre pdf perl plotutils pmu png policykit ppds pppd prediction preview-latex print publishers python qt-static qt3support qt4 readline run-as-root samba sdk sdl secure-delete semantic-desktop session slang smp spell sse ssl startup-notification static-analyzer svg svga sysfs t1lib tcpd theora threads thumbnailing tiff tk toolkit-scroll-bars totem truetype truetype-fonts type1-fonts udev unicode usb userlocales vcd videos vorbis win32codecs wmf wxwindows x264 x86 xcb xface xft xml xorg xosd xpm xulrunner xv xvid zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" LIRC_DEVICES="atiusb" PHP_TARGETS="php5-2" RUBY_TARGETS="jruby ruby18 ree18" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Stable on alpha.
Stable for HPPA PPC.
arm stable
i have no idea why -r3 was published for glibc. -r2 is sufficient for the security issues raised here.
vapier, -r2 only fixes CVE-2010-3856, -r3 also fixes CVE-2010-3847 and as statet in comment #40, unlike thoght before the permissions don't save us. So glibc-2.11.2-r3 is the only version fixing both issues for good.
ia64/sh/sparc stable, s390 will pass because it follows IBM's recommended glibc versions
comment #40 has no bearing at all on $ORIGIN. the point was that LD_AUDIT is broken. that is fixed in -r2. so no, comment #40 is not justification for -r3.
<taviso> Honoome: fyi, i looked at the patch vapier applied to verify. He applied the patch that verifies the audit library has the suid bit set. The check specifically is `st.st_mode & S_ISUID) == 0` must be false...this only works if the other issue is fixed, because it assumes you cant add code to the trusted library search path. Because we can control $ORIGIN, we simply replace it with a DSO, set the suid bit (there is no check on uid), and then let <taviso> The patch for the suid bit is important, but it only works (or makes sense) with the dst expansion fix. So we do need -r3, not -r2. Given Tavis is the one who found the bug, I guess we can safely accept his opinion in merit, no?
in other words, the *dst patch* is necessary to fully fix things. the $ORIGIN should not have been merged per my previous comments (like comment #22). exploiting that is trivial (simply see Bug 260331). so ive punted the $ORIGIN patch that isnt being merged upstream
This is GLSA 201011-01, thanks everyone, and sorry about the delay.
CVE-2010-3856 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3856): ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT environment variable to reference dynamic shared objects (DSOs) as audit objects, which allows local users to gain privileges by leveraging an unsafe DSO located in a trusted library directory, as demonstrated by libpcprofile.so. CVE-2010-3847 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3847): elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.