packages: glibc/glibc.spec, glibc/glibc-suid-audit-libs.patch (NEW) - rel 8...

baggins baggins at pld-linux.org
Thu Oct 28 12:23:08 CEST 2010


Author: baggins                      Date: Thu Oct 28 10:23:08 2010 GMT
Module: packages                      Tag: HEAD
---- Log message:
- rel 8
- fix CVE-2010-3856, see http://seclists.org/bugtraq/2010/Oct/200 for details

---- Files affected:
packages/glibc:
   glibc.spec (1.883 -> 1.884) , glibc-suid-audit-libs.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: packages/glibc/glibc.spec
diff -u packages/glibc/glibc.spec:1.883 packages/glibc/glibc.spec:1.884
--- packages/glibc/glibc.spec:1.883	Thu Oct 21 00:16:27 2010
+++ packages/glibc/glibc.spec	Thu Oct 28 12:23:02 2010
@@ -35,7 +35,7 @@
 Summary(uk.UTF-8):	GNU libc версії
 Name:		glibc
 Version:	2.12.1
-Release:	7
+Release:	8
 Epoch:		6
 License:	LGPL v2.1+
 Group:		Libraries
@@ -79,6 +79,7 @@
 Patch30:	%{name}-static-glro-init.patch
 Patch31:	%{name}-newmake.patch
 Patch32:	%{name}-origin.patch
+Patch33:	%{name}-suid-audit-libs.patch
 URL:		http://www.gnu.org/software/libc/
 %{?with_selinux:BuildRequires:	audit-libs-devel}
 BuildRequires:	autoconf
@@ -927,6 +928,7 @@
 %patch30 -p1
 %patch31 -p1
 %patch32 -p1
+%patch33 -p1
 
 # cleanup backups after patching
 find '(' -name '*~' -o -name '*.orig' ')' -print0 | xargs -0 -r -l512 rm -f
@@ -1691,6 +1693,10 @@
 All persons listed below can be reached at <cvs_login>@pld-linux.org
 
 $Log$
+Revision 1.884  2010/10/28 10:23:02  baggins
+- rel 8
+- fix CVE-2010-3856, see http://seclists.org/bugtraq/2010/Oct/200 for details
+
 Revision 1.883  2010/10/20 22:16:27  qwiat
 - added locale en at shaw
 

================================================================
Index: packages/glibc/glibc-suid-audit-libs.patch
diff -u /dev/null packages/glibc/glibc-suid-audit-libs.patch:1.1
--- /dev/null	Thu Oct 28 12:23:08 2010
+++ packages/glibc/glibc-suid-audit-libs.patch	Thu Oct 28 12:23:02 2010
@@ -0,0 +1,269 @@
+From libc-hacker-return-9651-listarch-libc-hacker=sources dot redhat dot com at sourceware dot org Fri Oct 22 17:17:33 2010
+Return-Path: <libc-hacker-return-9651-listarch-libc-hacker=sources dot redhat dot com at sourceware dot org>
+Delivered-To: listarch-libc-hacker at sources dot redhat dot com
+Received: (qmail 15374 invoked by alias); 22 Oct 2010 17:17:31 -0000
+Received: (qmail 15356 invoked by uid 22791); 22 Oct 2010 17:17:29 -0000
+X-SWARE-Spam-Status: No, hits=-6.1 required=5.0
+	tests=AWL,BAYES_00,RCVD_IN_DNSWL_HI,SPF_HELO_PASS,T_RP_MATCHES_RCVD
+X-Spam-Check-By: sourceware.org
+Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28)
+    by sourceware dot org (qpsmtpd/0 dot 43rc1) with ESMTP; Fri, 22 Oct 2010 17:17:24 +0000
+Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
+	by mx1 dot redhat dot com (8 dot 13 dot 8/8 dot 13 dot 8) with ESMTP id o9MHHMI2013888
+	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
+	for <libc-hacker at sourceware dot org>; Fri, 22 Oct 2010 13:17:23 -0400
+Received: from hase.home (ovpn01.gateway.prod.ext.phx2.redhat.com [10.5.9.1])
+	by int-mx01 dot intmail dot prod dot int dot phx2 dot redhat dot com (8 dot 13 dot 8/8 dot 13 dot 8) with ESMTP id o9MHHLZN030282
+	for <libc-hacker at sourceware dot org>; Fri, 22 Oct 2010 13:17:21 -0400
+From: Andreas Schwab <schwab at redhat dot com>
+To: libc-hacker at sourceware dot org
+Subject: [PATCH] Require suid bit on audit objects in privileged programs
+X-Yow: This MUST be a good party -- My RIB CAGE is being painfully
+ pressed up against someone's MARTINI!!
+Date: Fri, 22 Oct 2010 19:17:20 +0200
+Message-ID: <m3bp6mb10f.fsf at hase.home>
+User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Mailing-List: contact libc-hacker-help at sourceware dot org; run by ezmlm
+Precedence: bulk
+List-Id: <libc-hacker.sourceware.org>
+List-Subscribe: <mailto:libc-hacker-subscribe at sourceware dot org>
+List-Archive: <http://sourceware.org/ml/libc-hacker/>
+List-Post: <mailto:libc-hacker at sourceware dot org>
+List-Help: <mailto:libc-hacker-help at sourceware dot org>, <http://sourceware dot org/ml/#faqs>
+Sender: libc-hacker-owner at sourceware dot org
+Delivered-To: mailing list libc-hacker at sourceware dot org
+
+2010-10-22  Andreas Schwab  <schwab at redhat.com>
+
+	* include/dlfcn.h (__RTLD_SECURE): Define.
+	* elf/dl-load.c (_dl_map_object): Remove preloaded parameter.  Use
+	mode & __RTLD_SECURE instead.
+	(open_path): Rename preloaded parameter to secure.
+	* sysdeps/generic/ldsodefs.h (_dl_map_object): Adjust declaration.
+	* elf/dl-open.c (dl_open_worker): Adjust call to _dl_map_object.
+	* elf/dl-deps.c (openaux): Likewise.
+	* elf/rtld.c (struct map_args): Remove is_preloaded.
+	(map_doit): Don't use it.
+	(dl_main): Likewise.
+	(do_preload): Use __RTLD_SECURE instead of is_preloaded.
+	(dlmopen_doit): Add __RTLD_SECURE to mode bits.
+---
+ elf/dl-deps.c              |    2 +-
+ elf/dl-load.c              |   20 +++++++++++---------
+ elf/dl-open.c              |    2 +-
+ elf/rtld.c                 |   16 +++++++---------
+ include/dlfcn.h            |    1 +
+ sysdeps/generic/ldsodefs.h |    6 ++----
+ 6 files changed, 23 insertions(+), 24 deletions(-)
+
+diff --git a/elf/dl-deps.c b/elf/dl-deps.c
+index e5b9cdf..1cab2d1 100644
+--- a/elf/dl-deps.c
++++ b/elf/dl-deps.c
+@@ -62,7 +62,7 @@ openaux (void *a)
+ {
+   struct openaux_args *args = (struct openaux_args *) a;
+ 
+-  args->aux = _dl_map_object (args->map, args->name, 0,
++  args->aux = _dl_map_object (args->map, args->name,
+ 			      (args->map->l_type == lt_executable
+ 			       ? lt_library : args->map->l_type),
+ 			      args->trace_mode, args->open_mode,
+diff --git a/elf/dl-load.c b/elf/dl-load.c
+index 776f7e4..9ab3520 100644
+--- a/elf/dl-load.c
++++ b/elf/dl-load.c
+@@ -1808,7 +1808,7 @@ open_verify (const char *name, struct filebuf *fbp, struct link_map *loader,
+    if MAY_FREE_DIRS is true.  */
+ 
+ static int
+-open_path (const char *name, size_t namelen, int preloaded,
++open_path (const char *name, size_t namelen, int secure,
+ 	   struct r_search_path_struct *sps, char **realname,
+ 	   struct filebuf *fbp, struct link_map *loader, int whatcode,
+ 	   bool *found_other_class)
+@@ -1890,7 +1890,7 @@ open_path (const char *name, size_t namelen, int preloaded,
+ 	  /* Remember whether we found any existing directory.  */
+ 	  here_any |= this_dir->status[cnt] != nonexisting;
+ 
+-	  if (fd != -1 && __builtin_expect (preloaded, 0)
++	  if (fd != -1 && __builtin_expect (secure, 0)
+ 	      && INTUSE(__libc_enable_secure))
+ 	    {
+ 	      /* This is an extra security effort to make sure nobody can
+@@ -1959,7 +1959,7 @@ open_path (const char *name, size_t namelen, int preloaded,
+ 
+ struct link_map *
+ internal_function
+-_dl_map_object (struct link_map *loader, const char *name, int preloaded,
++_dl_map_object (struct link_map *loader, const char *name,
+ 		int type, int trace_mode, int mode, Lmid_t nsid)
+ {
+   int fd;
+@@ -2063,7 +2063,8 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded,
+ 	  for (l = loader; l; l = l->l_loader)
+ 	    if (cache_rpath (l, &l->l_rpath_dirs, DT_RPATH, "RPATH"))
+ 	      {
+-		fd = open_path (name, namelen, preloaded, &l->l_rpath_dirs,
++		fd = open_path (name, namelen, mode & __RTLD_SECURE,
++				&l->l_rpath_dirs,
+ 				&realname, &fb, loader, LA_SER_RUNPATH,
+ 				&found_other_class);
+ 		if (fd != -1)
+@@ -2078,14 +2079,15 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded,
+ 	      && main_map != NULL && main_map->l_type != lt_loaded
+ 	      && cache_rpath (main_map, &main_map->l_rpath_dirs, DT_RPATH,
+ 			      "RPATH"))
+-	    fd = open_path (name, namelen, preloaded, &main_map->l_rpath_dirs,
++	    fd = open_path (name, namelen, mode & __RTLD_SECURE,
++			    &main_map->l_rpath_dirs,
+ 			    &realname, &fb, loader ?: main_map, LA_SER_RUNPATH,
+ 			    &found_other_class);
+ 	}
+ 
+       /* Try the LD_LIBRARY_PATH environment variable.  */
+       if (fd == -1 && env_path_list.dirs != (void *) -1)
+-	fd = open_path (name, namelen, preloaded, &env_path_list,
++	fd = open_path (name, namelen, mode & __RTLD_SECURE, &env_path_list,
+ 			&realname, &fb,
+ 			loader ?: GL(dl_ns)[LM_ID_BASE]._ns_loaded,
+ 			LA_SER_LIBPATH, &found_other_class);
+@@ -2094,12 +2096,12 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded,
+       if (fd == -1 && loader != NULL
+ 	  && cache_rpath (loader, &loader->l_runpath_dirs,
+ 			  DT_RUNPATH, "RUNPATH"))
+-	fd = open_path (name, namelen, preloaded,
++	fd = open_path (name, namelen, mode & __RTLD_SECURE,
+ 			&loader->l_runpath_dirs, &realname, &fb, loader,
+ 			LA_SER_RUNPATH, &found_other_class);
+ 
+       if (fd == -1
+-	  && (__builtin_expect (! preloaded, 1)
++	  && (__builtin_expect (! (mode & __RTLD_SECURE), 1)
+ 	      || ! INTUSE(__libc_enable_secure)))
+ 	{
+ 	  /* Check the list of libraries in the file /etc/ld.so.cache,
+@@ -2165,7 +2167,7 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded,
+ 	  && ((l = loader ?: GL(dl_ns)[nsid]._ns_loaded) == NULL
+ 	      || __builtin_expect (!(l->l_flags_1 & DF_1_NODEFLIB), 1))
+ 	  && rtld_search_dirs.dirs != (void *) -1)
+-	fd = open_path (name, namelen, preloaded, &rtld_search_dirs,
++	fd = open_path (name, namelen, mode & __RTLD_SECURE, &rtld_search_dirs,
+ 			&realname, &fb, l, LA_SER_DEFAULT, &found_other_class);
+ 
+       /* Add another newline when we are tracing the library loading.  */
+diff --git a/elf/dl-open.c b/elf/dl-open.c
+index c394b3f..cf8e8cc 100644
+--- a/elf/dl-open.c
++++ b/elf/dl-open.c
+@@ -223,7 +223,7 @@ dl_open_worker (void *a)
+ 
+   /* Load the named object.  */
+   struct link_map *new;
+-  args->map = new = _dl_map_object (call_map, file, 0, lt_loaded, 0,
++  args->map = new = _dl_map_object (call_map, file, lt_loaded, 0,
+ 				    mode | __RTLD_CALLMAP, args->nsid);
+ 
+   /* If the pointer returned is NULL this means the RTLD_NOLOAD flag is
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 201c9cf..4a8cee8 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -587,7 +587,6 @@ struct map_args
+   /* Argument to map_doit.  */
+   char *str;
+   struct link_map *loader;
+-  int is_preloaded;
+   int mode;
+   /* Return value of map_doit.  */
+   struct link_map *map;
+@@ -625,16 +624,17 @@ static void
+ map_doit (void *a)
+ {
+   struct map_args *args = (struct map_args *) a;
+-  args->map = _dl_map_object (args->loader, args->str,
+-			      args->is_preloaded, lt_library, 0, args->mode,
+-			      LM_ID_BASE);
++  args->map = _dl_map_object (args->loader, args->str, lt_library, 0,
++			      args->mode, LM_ID_BASE);
+ }
+ 
+ static void
+ dlmopen_doit (void *a)
+ {
+   struct dlmopen_args *args = (struct dlmopen_args *) a;
+-  args->map = _dl_open (args->fname, RTLD_LAZY | __RTLD_DLOPEN | __RTLD_AUDIT,
++  args->map = _dl_open (args->fname,
++			(RTLD_LAZY | __RTLD_DLOPEN | __RTLD_AUDIT
++			 | __RTLD_SECURE),
+ 			dl_main, LM_ID_NEWLM, _dl_argc, INTUSE(_dl_argv),
+ 			__environ);
+ }
+@@ -804,8 +804,7 @@ do_preload (char *fname, struct link_map *main_map, const char *where)
+ 
+   args.str = fname;
+   args.loader = main_map;
+-  args.is_preloaded = 1;
+-  args.mode = 0;
++  args.mode = __RTLD_SECURE;
+ 
+   unsigned int old_nloaded = GL(dl_ns)[LM_ID_BASE]._ns_nloaded;
+ 
+@@ -1050,7 +1049,6 @@ of this helper program; chances are you did not intend to run this program.\n\
+ 
+ 	  args.str = rtld_progname;
+ 	  args.loader = NULL;
+-	  args.is_preloaded = 0;
+ 	  args.mode = __RTLD_OPENEXEC;
+ 	  (void) _dl_catch_error (&objname, &err_str, &malloced, map_doit,
+ 				  &args);
+@@ -1062,7 +1060,7 @@ of this helper program; chances are you did not intend to run this program.\n\
+       else
+ 	{
+ 	  HP_TIMING_NOW (start);
+-	  _dl_map_object (NULL, rtld_progname, 0, lt_library, 0,
++	  _dl_map_object (NULL, rtld_progname, lt_library, 0,
+ 			  __RTLD_OPENEXEC, LM_ID_BASE);
+ 	  HP_TIMING_NOW (stop);
+ 
+diff --git a/include/dlfcn.h b/include/dlfcn.h
+index a67426d..af92483 100644
+--- a/include/dlfcn.h
++++ b/include/dlfcn.h
+@@ -9,6 +9,7 @@
+ #define __RTLD_OPENEXEC	0x20000000
+ #define __RTLD_CALLMAP	0x10000000
+ #define __RTLD_AUDIT	0x08000000
++#define __RTLD_SECURE	0x04000000 /* Apply additional security checks.  */
+ 
+ #define __LM_ID_CALLER	-2
+ 
+diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
+index fcc943b..fa4b6b2 100644
+--- a/sysdeps/generic/ldsodefs.h
++++ b/sysdeps/generic/ldsodefs.h
+@@ -824,11 +824,9 @@ extern void _dl_receive_error (receiver_fct fct, void (*operate) (void *),
+ 
+ /* Open the shared object NAME and map in its segments.
+    LOADER's DT_RPATH is used in searching for NAME.
+-   If the object is already opened, returns its existing map.
+-   For preloaded shared objects PRELOADED is set to a non-zero
+-   value to allow additional security checks.  */
++   If the object is already opened, returns its existing map.  */
+ extern struct link_map *_dl_map_object (struct link_map *loader,
+-					const char *name, int preloaded,
++					const char *name,
+ 					int type, int trace_mode, int mode,
+ 					Lmid_t nsid)
+      internal_function attribute_hidden;
+-- 
+1.7.2.3
+
+
+-- 
+Andreas Schwab, schwab at redhat.com
+GPG Key fingerprint = D4E8 DBE3 3813 BB5D FA84  5EC7 45C6 250E 6F00 984E
+"And now for something completely different."
+
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/glibc/glibc.spec?r1=1.883&r2=1.884&f=u



More information about the pld-cvs-commit mailing list