There is an issue in Glibc where LD_DEBUG is allowed on suid binaries when it should not be. Patch is applied to glibc-2.3.4.20040619-r1, KEYWORDS="-* ~x86 ~mips ~amd64 ~hppa" ${FILESDIR}/glibc-sec-hotfix-20040804.patch The patch conflicts with owl-malloc patch in some glibcs, so they are both rolled into the patch. Remove owl-malloc if adding to another glibc. Arch folks please fix your current glibc or test + keyword a patched version.
hotfix applies cleanly to 2.3.2-r10 we'll also have to touch up the patch to apply cleanly to 2.2.5 (it just needs a few cosmetic touchups)
all glibc's in portage atm (except for glibc-2.3.4.20040619-r1) need to get updated and/or pruned arch maintainers: we'll add the patch and then post the versions that'll need to get marked stable / unstable
glibc-2.3.2-r11 is in portage ... these arches are eligible for moving to stable: x86 ppc sparc mips alpha arm hppa amd64 ia64 s390 this should be pretty painless since the only changes between the previous stables (glibc-2.3.2-r{9,10}) consists of: - ebuild clean up (moving flag mangling functions out of global scope) - no longer stripping libpthread or libthread_db - this security patch
Stable on amd64.
slarti - we dont even use 2.3.2 on amd64... glibc-2.3.4.20040619-r1 has the hotfix and that's what we use.
For stable profiles, here is what the arches currently use and should try to mark stable. This arches use a 2.3.2 and should test and mark the fixed 2.3.2-r11 : alpha (2.3.2-r9) arm (2.3.2-r10) hppa (2.3.2-r10) ia64 (2.3.2-r9) s390 (2.3.2-r10) sparc (2.3.2-r9) These arches currently use a 2.3.3. For them, a patched 2.3.3 should be produced, or maybe they can directly go for the 2.3.4.20040619-r1 : mips (2.3.3.20040420) x86 (2.3.3.20040420) This arch uses a 2.3.4. They should test and mark the fixed 2.3.4.20040619-r1 : ppc64 (2.3.4.20040605) This arch is already set : amd64 (2.3.4.20040619-r1)
glibc-2.3.2-r11 marked stable on ia64
stable on arm
glibc-2.3.2-r11 gone sparc stable.
Added patch to new glibc-2.3.3.20040420-r1 for x86 stablage.
Done on hppa.
We still need ppc for the GLSA to go out. Also alpha ppc64 s390 should mark stable.
glibc-2.3.2-r11 marked stable on alpha.
glibc-2.3.3.20040420-r1 stable on ppc.
Ready for GLSA. Security please review draft.
The discovery of this bug and patch comes from Brad Spengler of the grsecurity project.
Silvio Cesare actually discovered the bug. I just wrote the patch.
mips stable bumped to 2.3.4.20040619-r1.
***bump*** ppc64 and s390 last chance to mark stable before the GLSA go out. ***bump***
GLSA 200408-16 ppc64 and s390 please remember to mark stable to benifit from the GLSA.
I'll point out there's nothing to be done here for ppc64. We don't use a versoin of glibc that old.