1 |
flameeyes 09/07/16 14:00:04 |
2 |
|
3 |
Added: pulseaudio-0.9.9-CVE-2009-1894.patch |
4 |
pulseaudio-0.9.16-CVE-2009-1894.patch |
5 |
pulseaudio-0.9.15-CVE-2009-1894.patch |
6 |
Log: |
7 |
Add patch to fix CVE-2009-1894, see bug #276986. |
8 |
(Portage version: 2.2_rc33/cvs/Linux x86_64, RepoMan options: --force) |
9 |
|
10 |
Revision Changes Path |
11 |
1.1 media-sound/pulseaudio/files/pulseaudio-0.9.9-CVE-2009-1894.patch |
12 |
|
13 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-sound/pulseaudio/files/pulseaudio-0.9.9-CVE-2009-1894.patch?rev=1.1&view=markup |
14 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-sound/pulseaudio/files/pulseaudio-0.9.9-CVE-2009-1894.patch?rev=1.1&content-type=text/plain |
15 |
|
16 |
Index: pulseaudio-0.9.9-CVE-2009-1894.patch |
17 |
=================================================================== |
18 |
From fdd11d6cc0f4c75f75c62fb7d419d157ce00c956 Mon Sep 17 00:00:00 2001 |
19 |
From: =?utf-8?q?Diego=20Elio=20'Flameeyes'=20Petten=C3=B2?= <flameeyes@×××××.com> |
20 |
Date: Tue, 7 Jul 2009 20:51:53 +0200 |
21 |
Subject: [PATCH] Remove exploitable LD_BIND_NOW hack. |
22 |
|
23 |
Instead of trying to re-execute pulseaudio itself with LD_BIND_NOW set, |
24 |
just find the correct flag for the linker to request immediate bindings |
25 |
(all ELF files support that option), and use that when linking the daemon. |
26 |
|
27 |
Reduce the amount of compiled and executed code as well. |
28 |
--- |
29 |
src/Makefile.am | 4 ++-- |
30 |
src/daemon/main.c | 19 ------------------- |
31 |
2 files changed, 2 insertions(+), 21 deletions(-) |
32 |
|
33 |
diff --git a/src/Makefile.am b/src/Makefile.am |
34 |
index 2ac4f3d..7d1c431 100644 |
35 |
--- a/src/Makefile.am |
36 |
+++ b/src/Makefile.am |
37 |
@@ -147,9 +147,9 @@ PREOPEN_LIBS = $(modlibexec_LTLIBRARIES) |
38 |
endif |
39 |
|
40 |
if FORCE_PREOPEN |
41 |
-pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -dlpreopen force $(foreach f,$(PREOPEN_LIBS),-dlpreopen $(f)) |
42 |
+pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -Wl,-z,now -dlpreopen force $(foreach f,$(PREOPEN_LIBS),-dlpreopen $(f)) |
43 |
else |
44 |
-pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -dlopen force $(foreach f,$(PREOPEN_LIBS),-dlopen $(f)) |
45 |
+pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -Wl,-z,now -dlopen force $(foreach f,$(PREOPEN_LIBS),-dlopen $(f)) |
46 |
endif |
47 |
|
48 |
if HAVE_POLKIT |
49 |
diff --git a/src/daemon/main.c b/src/daemon/main.c |
50 |
index 4276d1d..c788917 100644 |
51 |
--- a/src/daemon/main.c |
52 |
+++ b/src/daemon/main.c |
53 |
@@ -340,25 +340,6 @@ int main(int argc, char *argv[]) { |
54 |
#endif |
55 |
|
56 |
|
57 |
-#if defined(__linux__) && defined(__OPTIMIZE__) |
58 |
- /* |
59 |
- Disable lazy relocations to make usage of external libraries |
60 |
- more deterministic for our RT threads. We abuse __OPTIMIZE__ as |
61 |
- a check whether we are a debug build or not. |
62 |
- */ |
63 |
- |
64 |
- if (!getenv("LD_BIND_NOW")) { |
65 |
- char *rp; |
66 |
- |
67 |
- /* We have to execute ourselves, because the libc caches the |
68 |
- * value of $LD_BIND_NOW on initialization. */ |
69 |
- |
70 |
- putenv(pa_xstrdup("LD_BIND_NOW=1")); |
71 |
- pa_assert_se(rp = pa_readlink("/proc/self/exe")); |
72 |
- pa_assert_se(execv(rp, argv) == 0); |
73 |
- } |
74 |
-#endif |
75 |
- |
76 |
#ifdef HAVE_GETUID |
77 |
real_root = getuid() == 0; |
78 |
suid_root = !real_root && geteuid() == 0; |
79 |
-- |
80 |
1.6.3.3 |
81 |
|
82 |
|
83 |
|
84 |
|
85 |
1.1 media-sound/pulseaudio/files/pulseaudio-0.9.16-CVE-2009-1894.patch |
86 |
|
87 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-sound/pulseaudio/files/pulseaudio-0.9.16-CVE-2009-1894.patch?rev=1.1&view=markup |
88 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-sound/pulseaudio/files/pulseaudio-0.9.16-CVE-2009-1894.patch?rev=1.1&content-type=text/plain |
89 |
|
90 |
Index: pulseaudio-0.9.16-CVE-2009-1894.patch |
91 |
=================================================================== |
92 |
From fdd11d6cc0f4c75f75c62fb7d419d157ce00c956 Mon Sep 17 00:00:00 2001 |
93 |
From: =?utf-8?q?Diego=20Elio=20'Flameeyes'=20Petten=C3=B2?= <flameeyes@×××××.com> |
94 |
Date: Tue, 7 Jul 2009 20:51:53 +0200 |
95 |
Subject: [PATCH] Remove exploitable LD_BIND_NOW hack. |
96 |
|
97 |
Instead of trying to re-execute pulseaudio itself with LD_BIND_NOW set, |
98 |
just find the correct flag for the linker to request immediate bindings |
99 |
(all ELF files support that option), and use that when linking the daemon. |
100 |
|
101 |
Reduce the amount of compiled and executed code as well. |
102 |
--- |
103 |
configure.ac | 6 ++++++ |
104 |
src/Makefile.am | 4 ++-- |
105 |
src/daemon/main.c | 22 ---------------------- |
106 |
3 files changed, 8 insertions(+), 24 deletions(-) |
107 |
|
108 |
diff --git a/configure.ac b/configure.ac |
109 |
index 9c96d1c..cc7f674 100644 |
110 |
--- a/configure.ac |
111 |
+++ b/configure.ac |
112 |
@@ -113,6 +113,12 @@ CC_CHECK_LDFLAGS([${tmp_ldflag}], |
113 |
[VERSIONING_LDFLAGS='-Wl,-version-script=$(srcdir)/map-file']) |
114 |
AC_SUBST([VERSIONING_LDFLAGS]) |
115 |
|
116 |
+dnl Use immediate (now) bindings; avoids the funky re-call in itself |
117 |
+dnl the -z now syntax is lifted from Sun's linker and works with GNU's too |
118 |
+dnl other linkes might be added later |
119 |
+CC_CHECK_LDFLAGS([-Wl,-z,now], [IMMEDIATE_LDFLAGS="-Wl,-z,now"]) |
120 |
+AC_SUBST([IMMEDIATE_LDFLAGS]) |
121 |
+ |
122 |
dnl Check for the proper way to build libraries that have no undefined |
123 |
dnl symbols; on some hosts this needs to be avoided but the macro |
124 |
dnl takes care of it. |
125 |
diff --git a/src/Makefile.am b/src/Makefile.am |
126 |
index 7ebf1f8..ac627c8 100644 |
127 |
--- a/src/Makefile.am |
128 |
+++ b/src/Makefile.am |
129 |
@@ -183,9 +183,9 @@ PREOPEN_LIBS = $(modlibexec_LTLIBRARIES) |
130 |
endif |
131 |
|
132 |
if FORCE_PREOPEN |
133 |
-pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -dlpreopen force $(foreach f,$(PREOPEN_LIBS),-dlpreopen $(f)) |
134 |
+pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) $(IMMEDIATE_LDFLAGS) -dlpreopen force $(foreach f,$(PREOPEN_LIBS),-dlpreopen $(f)) |
135 |
else |
136 |
-pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -dlopen force $(foreach f,$(PREOPEN_LIBS),-dlopen $(f)) |
137 |
+pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) $(IMMEDIATE_LDFLAGS) -dlopen force $(foreach f,$(PREOPEN_LIBS),-dlopen $(f)) |
138 |
endif |
139 |
|
140 |
################################### |
141 |
diff --git a/src/daemon/main.c b/src/daemon/main.c |
142 |
index eb378d2..0f6fc90 100644 |
143 |
--- a/src/daemon/main.c |
144 |
+++ b/src/daemon/main.c |
145 |
@@ -401,28 +401,6 @@ int main(int argc, char *argv[]) { |
146 |
pa_log_set_level(PA_LOG_NOTICE); |
147 |
pa_log_set_flags(PA_LOG_COLORS|PA_LOG_PRINT_FILE|PA_LOG_PRINT_LEVEL, PA_LOG_RESET); |
148 |
|
149 |
-#if defined(__linux__) && defined(__OPTIMIZE__) |
150 |
- /* |
151 |
- Disable lazy relocations to make usage of external libraries |
152 |
- more deterministic for our RT threads. We abuse __OPTIMIZE__ as |
153 |
- a check whether we are a debug build or not. |
154 |
- */ |
155 |
- |
156 |
- if (!getenv("LD_BIND_NOW")) { |
157 |
- char *rp; |
158 |
- |
159 |
- /* We have to execute ourselves, because the libc caches the |
160 |
- * value of $LD_BIND_NOW on initialization. */ |
161 |
- |
162 |
- pa_set_env("LD_BIND_NOW", "1"); |
163 |
- |
164 |
- if ((rp = pa_readlink("/proc/self/exe"))) |
165 |
- pa_assert_se(execv(rp, argv) == 0); |
166 |
- else |
167 |
- pa_log_warn("Couldn't read /proc/self/exe, cannot self execute. Running in a chroot()?"); |
168 |
- } |
169 |
-#endif |
170 |
- |
171 |
if ((e = getenv("PULSE_PASSED_FD"))) { |
172 |
passed_fd = atoi(e); |
173 |
|
174 |
-- |
175 |
1.6.3.3 |
176 |
|
177 |
|
178 |
|
179 |
|
180 |
1.1 media-sound/pulseaudio/files/pulseaudio-0.9.15-CVE-2009-1894.patch |
181 |
|
182 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-sound/pulseaudio/files/pulseaudio-0.9.15-CVE-2009-1894.patch?rev=1.1&view=markup |
183 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-sound/pulseaudio/files/pulseaudio-0.9.15-CVE-2009-1894.patch?rev=1.1&content-type=text/plain |
184 |
|
185 |
Index: pulseaudio-0.9.15-CVE-2009-1894.patch |
186 |
=================================================================== |
187 |
Index: pulseaudio-0.9.15/src/daemon/main.c |
188 |
=================================================================== |
189 |
--- pulseaudio-0.9.15.orig/src/daemon/main.c |
190 |
+++ pulseaudio-0.9.15/src/daemon/main.c |
191 |
@@ -399,28 +399,6 @@ int main(int argc, char *argv[]) { |
192 |
pa_log_set_level(PA_LOG_NOTICE); |
193 |
pa_log_set_flags(PA_LOG_COLORS|PA_LOG_PRINT_FILE|PA_LOG_PRINT_LEVEL, PA_LOG_RESET); |
194 |
|
195 |
-#if defined(__linux__) && defined(__OPTIMIZE__) |
196 |
- /* |
197 |
- Disable lazy relocations to make usage of external libraries |
198 |
- more deterministic for our RT threads. We abuse __OPTIMIZE__ as |
199 |
- a check whether we are a debug build or not. |
200 |
- */ |
201 |
- |
202 |
- if (!getenv("LD_BIND_NOW")) { |
203 |
- char *rp; |
204 |
- |
205 |
- /* We have to execute ourselves, because the libc caches the |
206 |
- * value of $LD_BIND_NOW on initialization. */ |
207 |
- |
208 |
- pa_set_env("LD_BIND_NOW", "1"); |
209 |
- |
210 |
- if ((rp = pa_readlink("/proc/self/exe"))) |
211 |
- pa_assert_se(execv(rp, argv) == 0); |
212 |
- else |
213 |
- pa_log_warn("Couldn't read /proc/self/exe, cannot self execute. Running in a chroot()?"); |
214 |
- } |
215 |
-#endif |
216 |
- |
217 |
#ifdef HAVE_GETUID |
218 |
real_root = getuid() == 0; |
219 |
suid_root = !real_root && geteuid() == 0; |
220 |
Index: pulseaudio-0.9.15/src/Makefile.am |
221 |
=================================================================== |
222 |
--- pulseaudio-0.9.15.orig/src/Makefile.am |
223 |
+++ pulseaudio-0.9.15/src/Makefile.am |
224 |
@@ -153,9 +153,9 @@ PREOPEN_LIBS = $(modlibexec_LTLIBRARIES) |
225 |
endif |
226 |
|
227 |
if FORCE_PREOPEN |
228 |
-pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -dlpreopen force $(foreach f,$(PREOPEN_LIBS),-dlpreopen $(f)) |
229 |
+pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -Wl,-z,now -dlpreopen force $(foreach f,$(PREOPEN_LIBS),-dlpreopen $(f)) |
230 |
else |
231 |
-pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -dlopen force $(foreach f,$(PREOPEN_LIBS),-dlopen $(f)) |
232 |
+pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -Wl,-z,now -dlopen force $(foreach f,$(PREOPEN_LIBS),-dlopen $(f)) |
233 |
endif |
234 |
|
235 |
if HAVE_POLKIT |