1 |
flameeyes 10/10/31 21:02:55 |
2 |
|
3 |
Modified: README.history |
4 |
Added: 0061_all_glibc-double-expansion.patch |
5 |
0062_all_glibc-no-ORIGIN-setuid.patch |
6 |
Log: |
7 |
New patches for the recent security issues. |
8 |
|
9 |
Revision Changes Path |
10 |
1.15 src/patchsets/glibc/2.11.2/README.history |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.11.2/README.history?rev=1.15&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.11.2/README.history?rev=1.15&content-type=text/plain |
14 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.11.2/README.history?r1=1.14&r2=1.15 |
15 |
|
16 |
Index: README.history |
17 |
=================================================================== |
18 |
RCS file: /var/cvsroot/gentoo/src/patchsets/glibc/2.11.2/README.history,v |
19 |
retrieving revision 1.14 |
20 |
retrieving revision 1.15 |
21 |
diff -u -r1.14 -r1.15 |
22 |
--- README.history 26 Oct 2010 15:01:20 -0000 1.14 |
23 |
+++ README.history 31 Oct 2010 21:02:55 -0000 1.15 |
24 |
@@ -1,3 +1,7 @@ |
25 |
+6 31.10.2010 |
26 |
+ + 0061_all_glibc-double-expansion.patch |
27 |
+ + 0062_all_glibc-no-ORIGIN-setuid.patch |
28 |
+ |
29 |
5 26.10.2010 |
30 |
+ 0060_all_glibc-ld-audit-setuid.patch |
31 |
|
32 |
|
33 |
|
34 |
|
35 |
1.1 src/patchsets/glibc/2.11.2/0061_all_glibc-double-expansion.patch |
36 |
|
37 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.11.2/0061_all_glibc-double-expansion.patch?rev=1.1&view=markup |
38 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.11.2/0061_all_glibc-double-expansion.patch?rev=1.1&content-type=text/plain |
39 |
|
40 |
Index: 0061_all_glibc-double-expansion.patch |
41 |
=================================================================== |
42 |
From 22cd1c9bcf57c5829d65b6da825f7a459d40c9eb Mon Sep 17 00:00:00 2001 |
43 |
From: Andreas Schwab <schwab@××××××.com> |
44 |
Date: Sun, 24 Oct 2010 20:40:14 -0400 |
45 |
Subject: [PATCH] Don't expand DST twice in dl_open |
46 |
|
47 |
--- |
48 |
ChangeLog | 5 +++++ |
49 |
elf/dl-open.c | 29 ----------------------------- |
50 |
2 files changed, 5 insertions(+), 29 deletions(-) |
51 |
|
52 |
diff --git a/elf/dl-open.c b/elf/dl-open.c |
53 |
index 754a263..c394b3f 100644 |
54 |
--- a/elf/dl-open.c |
55 |
+++ b/elf/dl-open.c |
56 |
@@ -221,35 +221,6 @@ dl_open_worker (void *a) |
57 |
|
58 |
assert (_dl_debug_initialize (0, args->nsid)->r_state == RT_CONSISTENT); |
59 |
|
60 |
- /* Maybe we have to expand a DST. */ |
61 |
- if (__builtin_expect (dst != NULL, 0)) |
62 |
- { |
63 |
- size_t len = strlen (file); |
64 |
- |
65 |
- /* Determine how much space we need. We have to allocate the |
66 |
- memory locally. */ |
67 |
- size_t required = DL_DST_REQUIRED (call_map, file, len, |
68 |
- _dl_dst_count (dst, 0)); |
69 |
- |
70 |
- /* Get space for the new file name. */ |
71 |
- char *new_file = (char *) alloca (required + 1); |
72 |
- |
73 |
- /* Generate the new file name. */ |
74 |
- _dl_dst_substitute (call_map, file, new_file, 0); |
75 |
- |
76 |
- /* If the substitution failed don't try to load. */ |
77 |
- if (*new_file == '\0') |
78 |
- _dl_signal_error (0, "dlopen", NULL, |
79 |
- N_("empty dynamic string token substitution")); |
80 |
- |
81 |
- /* Now we have a new file name. */ |
82 |
- file = new_file; |
83 |
- |
84 |
- /* It does not matter whether call_map is set even if we |
85 |
- computed it only because of the DST. Since the path contains |
86 |
- a slash the value is not used. See dl-load.c. */ |
87 |
- } |
88 |
- |
89 |
/* Load the named object. */ |
90 |
struct link_map *new; |
91 |
args->map = new = _dl_map_object (call_map, file, 0, lt_loaded, 0, |
92 |
-- |
93 |
1.7.2 |
94 |
|
95 |
|
96 |
|
97 |
|
98 |
1.1 src/patchsets/glibc/2.11.2/0062_all_glibc-no-ORIGIN-setuid.patch |
99 |
|
100 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.11.2/0062_all_glibc-no-ORIGIN-setuid.patch?rev=1.1&view=markup |
101 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.11.2/0062_all_glibc-no-ORIGIN-setuid.patch?rev=1.1&content-type=text/plain |
102 |
|
103 |
Index: 0062_all_glibc-no-ORIGIN-setuid.patch |
104 |
=================================================================== |
105 |
From: Andreas Schwab <schwab at redhat dot com> |
106 |
Subject: [PATCH] Never expand $ORIGIN in privileged programs |
107 |
Date: Mon, 18 Oct 2010 15:12:09 +0200 |
108 |
|
109 |
Path elements containing $ORIGIN should always be ignored in privileged |
110 |
programs. |
111 |
|
112 |
Andreas. |
113 |
|
114 |
2010-10-18 Andreas Schwab <schwab@××××××.com> |
115 |
|
116 |
* elf/dl-load.c (is_dst): Remove last parameter. |
117 |
(_dl_dst_count): Ignore $ORIGIN in privileged programs. |
118 |
(_dl_dst_substitute): Likewise. |
119 |
--- |
120 |
elf/dl-load.c | 30 +++++++++++++----------------- |
121 |
1 files changed, 13 insertions(+), 17 deletions(-) |
122 |
|
123 |
diff --git a/elf/dl-load.c b/elf/dl-load.c |
124 |
index a7162eb..776f7e4 100644 |
125 |
--- a/elf/dl-load.c |
126 |
+++ b/elf/dl-load.c |
127 |
@@ -169,8 +169,7 @@ local_strdup (const char *s) |
128 |
|
129 |
|
130 |
static size_t |
131 |
-is_dst (const char *start, const char *name, const char *str, |
132 |
- int is_path, int secure) |
133 |
+is_dst (const char *start, const char *name, const char *str, int is_path) |
134 |
{ |
135 |
size_t len; |
136 |
bool is_curly = false; |
137 |
@@ -199,11 +198,6 @@ is_dst (const char *start, const char *name, const char *str, |
138 |
&& (!is_path || name[len] != ':')) |
139 |
return 0; |
140 |
|
141 |
- if (__builtin_expect (secure, 0) |
142 |
- && ((name[len] != '\0' && (!is_path || name[len] != ':')) |
143 |
- || (name != start + 1 && (!is_path || name[-2] != ':')))) |
144 |
- return 0; |
145 |
- |
146 |
return len; |
147 |
} |
148 |
|
149 |
@@ -218,13 +212,12 @@ _dl_dst_count (const char *name, int is_path) |
150 |
{ |
151 |
size_t len; |
152 |
|
153 |
- /* $ORIGIN is not expanded for SUID/GUID programs (except if it |
154 |
- is $ORIGIN alone) and it must always appear first in path. */ |
155 |
+ /* $ORIGIN is not expanded for SUID/GUID programs. */ |
156 |
++name; |
157 |
- if ((len = is_dst (start, name, "ORIGIN", is_path, |
158 |
- INTUSE(__libc_enable_secure))) != 0 |
159 |
- || (len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0 |
160 |
- || (len = is_dst (start, name, "LIB", is_path, 0)) != 0) |
161 |
+ if (((len = is_dst (start, name, "ORIGIN", is_path)) != 0 |
162 |
+ && !INTUSE(__libc_enable_secure)) |
163 |
+ || (len = is_dst (start, name, "PLATFORM", is_path)) != 0 |
164 |
+ || (len = is_dst (start, name, "LIB", is_path)) != 0) |
165 |
++cnt; |
166 |
|
167 |
name = strchr (name + len, '$'); |
168 |
@@ -256,9 +249,12 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result, |
169 |
size_t len; |
170 |
|
171 |
++name; |
172 |
- if ((len = is_dst (start, name, "ORIGIN", is_path, |
173 |
- INTUSE(__libc_enable_secure))) != 0) |
174 |
+ if ((len = is_dst (start, name, "ORIGIN", is_path)) != 0) |
175 |
{ |
176 |
+ /* Ignore this path element in SUID/SGID programs. */ |
177 |
+ if (INTUSE(__libc_enable_secure)) |
178 |
+ repl = (const char *) -1; |
179 |
+ else |
180 |
#ifndef SHARED |
181 |
if (l == NULL) |
182 |
repl = _dl_get_origin (); |
183 |
@@ -266,9 +262,9 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result, |
184 |
#endif |
185 |
repl = l->l_origin; |
186 |
} |
187 |
- else if ((len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0) |
188 |
+ else if ((len = is_dst (start, name, "PLATFORM", is_path)) != 0) |
189 |
repl = GLRO(dl_platform); |
190 |
- else if ((len = is_dst (start, name, "LIB", is_path, 0)) != 0) |
191 |
+ else if ((len = is_dst (start, name, "LIB", is_path)) != 0) |
192 |
repl = DL_DST_LIB; |
193 |
|
194 |
if (repl != NULL && repl != (const char *) -1) |
195 |
-- |
196 |
1.7.2.3 |
197 |
|
198 |
|
199 |
-- |
200 |
Andreas Schwab, schwab@××××××.com |
201 |
GPG Key fingerprint = D4E8 DBE3 3813 BB5D FA84 5EC7 45C6 250E 6F00 984E |
202 |
"And now for something completely different." |