From mboxrd@z Thu Jan 1 00:00:00 1970 From: Efraim Flashner Subject: bug#27429: Stack clash (CVE-2017-1000366 etc) Date: Tue, 20 Jun 2017 10:18:57 +0300 Message-ID: <20170620071857.GA2768@macbook42.flashner.co.il> References: <20170619222550.GA29289@jasmine.lan> <20170620004920.GB31586@jasmine.lan> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="mojUlQ0s9EVzWg2t" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58275) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dNDSI-0006w2-Ug for bug-guix@gnu.org; Tue, 20 Jun 2017 03:20:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dNDSE-0007qj-R5 for bug-guix@gnu.org; Tue, 20 Jun 2017 03:20:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:54227) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dNDSE-0007qf-MR for bug-guix@gnu.org; Tue, 20 Jun 2017 03:20:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dNDSE-0006mH-EF for bug-guix@gnu.org; Tue, 20 Jun 2017 03:20:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <20170620004920.GB31586@jasmine.lan> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Leo Famulari Cc: 27429@debbugs.gnu.org --mojUlQ0s9EVzWg2t Content-Type: multipart/mixed; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 19, 2017 at 08:49:20PM -0400, Leo Famulari wrote: > On the glibc bugs (CVE-2016-1000366), civodul said: >=20 > [21:02:26] lfam: i *think* GuixSD is immune to the LD_LIBRARY_P= ATH one, FWIW > [...] > [21:02:43] lfam: because of the way is_trusted_path works in gl= ibc >=20 > https://gnunet.org/bot/log/guix/2017-06-19#T1422600 >=20 > Relevant upstream commits: >=20 > CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=3D1 programs [BZ #= 21624] > https://sourceware.org/git/?p=3Dglibc.git;a=3Dcommit;h=3Df6110a8fee2ca36f= 8e2d2abecf3cba9fa7b8ea7d >=20 > ld.so: Reject overly long LD_PRELOAD path elements > https://sourceware.org/git/?p=3Dglibc.git;a=3Dcommit;h=3D6d0ba622891bed9d= 8394eef1935add53003b12e8 >=20 > ld.so: Reject overly long LD_AUDIT path elements: > https://sourceware.org/git/?p=3Dglibc.git;a=3Dcommit;h=3D81b82fb966ffbd94= 353f793ad17116c6088dedd9 I don't know if this is true or not, but I have a patch here locally that seems to work against the CVE. I haven't downloaded the other patches and added them, but with all the '(replacement #f)''s in place it should just work to add them in to the glibc packages we have. I'll wait and see before pushing the patch. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-gnu-glibc-Patch-CVE-2017-1000366.patch" Content-Transfer-Encoding: quoted-printable =46rom 2a83d2a8265314af3d8b16f86187897223567d6e Mon Sep 17 00:00:00 2001 =46rom: Efraim Flashner Date: Mon, 19 Jun 2017 23:13:53 +0300 Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366. * gnu/packages/base.scm (glibc)[replacement]: New field. (glibc-2.25-fixed): New variable. (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patch. [replacement]: New field. (glibc-locales)[replacement]: New field. * gnu/packages/commencement.scm (glibc-final-with-bootstrap-bash, cross-gcc-wrapper, glibc-final)[replacement]: New field. * gnu/packages/patches/glibc-CVE-2017-1000366.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + gnu/packages/base.scm | 39 +++++++++++++++++++= ---- gnu/packages/commencement.scm | 4 +++ gnu/packages/patches/glibc-CVE-2017-1000366.patch | 33 +++++++++++++++++++ 4 files changed, 71 insertions(+), 6 deletions(-) create mode 100644 gnu/packages/patches/glibc-CVE-2017-1000366.patch diff --git a/gnu/local.mk b/gnu/local.mk index ae4a59af0..6b598335b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -632,6 +632,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/ghostscript-runpath.patch \ %D%/packages/patches/glib-networking-ssl-cert-file.patch \ %D%/packages/patches/glib-tests-timer.patch \ + %D%/packages/patches/glibc-CVE-2017-1000366.patch \ %D%/packages/patches/glibc-bootstrap-system.patch \ %D%/packages/patches/glibc-ldd-x86_64.patch \ %D%/packages/patches/glibc-locales.patch \ diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index d135a18bf..fe066edcd 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -5,7 +5,7 @@ ;;; Copyright =C2=A9 2014, 2015, 2016 Mark H Weaver ;;; Copyright =C2=A9 2014 Alex Kost ;;; Copyright =C2=A9 2014, 2015 Manolis Fragkiskos Ragkousis -;;; Copyright =C2=A9 2016 Efraim Flashner +;;; Copyright =C2=A9 2016, 2017 Efraim Flashner ;;; Copyright =C2=A9 2016 Jan Nieuwenhuizen ;;; Copyright =C2=A9 2017 Marius Bakke ;;; @@ -558,6 +558,7 @@ store.") (package (name "glibc") (version "2.25") + (replacement glibc-2.25-patched) (source (origin (method url-fetch) (uri (string-append "mirror://gnu/glibc/glibc-" @@ -904,34 +905,56 @@ GLIBC/HURD for a Hurd host" ;; Below are old libc versions, which we use mostly to build locale data in ;; the old format (which the new libc cannot cope with.) =20 +(define glibc-2.25-patched + (package + (inherit glibc) + (replacement #f) + (source (origin + (inherit (package-source glibc)) + (patches (search-patches "glibc-CVE-2017-1000366.patch" + "glibc-ldd-x86_64.patch" + "glibc-versioned-locpath.patch" + "glibc-o-largefile.patch")))))) + (define-public glibc-2.24 (package (inherit glibc) (version "2.24") + (replacement #f) (source (origin (inherit (package-source glibc)) (uri (string-append "mirror://gnu/glibc/glibc-" version ".tar.xz")) (sha256 (base32 - "1lxmprg9gm73gvafxd503x70z32phwjzcy74i0adfi6ixzla7m4r"))))= )) + "1lxmprg9gm73gvafxd503x70z32phwjzcy74i0adfi6ixzla7m4r")) + (patches (search-patches "glibc-CVE-2017-1000366.patch" + "glibc-ldd-x86_64.patch" + "glibc-versioned-locpath.patch" + "glibc-o-largefile.patch")))))) =20 (define-public glibc-2.23 (package (inherit glibc) (version "2.23") + (replacement #f) (source (origin (inherit (package-source glibc)) (uri (string-append "mirror://gnu/glibc/glibc-" version ".tar.xz")) (sha256 (base32 - "1s8krs3y2n6pzav7ic59dz41alqalphv7vww4138ag30wh0fpvwl"))))= )) + "1s8krs3y2n6pzav7ic59dz41alqalphv7vww4138ag30wh0fpvwl")) + (patches (search-patches "glibc-CVE-2017-1000366.patch" + "glibc-ldd-x86_64.patch" + "glibc-versioned-locpath.patch" + "glibc-o-largefile.patch")))))) =20 (define-public glibc-2.22 (package (inherit glibc) (version "2.22") + (replacement #f) (source (origin (inherit (package-source glibc)) (uri (string-append "mirror://gnu/glibc/glibc-" @@ -939,7 +962,8 @@ GLIBC/HURD for a Hurd host" (sha256 (base32 "0j49682pm2nh4qbdw35bas82p1pgfnz4d2l7iwfyzvrvj0318wzb")) - (patches (search-patches "glibc-ldd-x86_64.patch")))) + (patches (search-patches "glibc-CVE-2017-1000366.patch" + "glibc-ldd-x86_64.patch")))) (arguments (substitute-keyword-arguments (package-arguments glibc) ((#:phases phases) @@ -948,7 +972,8 @@ GLIBC/HURD for a Hurd host" (lambda _ ;; Use `pwd' instead of `/bin/pwd' for glibc-2.21 (substitute* "configure" - (("/bin/pwd") "pwd")))))))))) + (("/bin/pwd") "pwd")) + #t)))))))) =20 (define-public glibc-2.21 (package @@ -961,12 +986,14 @@ GLIBC/HURD for a Hurd host" (sha256 (base32 "1f135546j34s9bfkydmx2nhh9vwxlx60jldi80zmsnln6wj3dsxf")) - (patches (search-patches "glibc-ldd-x86_64.patch")))))) + (patches (search-patches "glibc-CVE-2017-1000366.patch" + "glibc-ldd-x86_64.patch")))))) =20 (define-public glibc-locales (package (inherit glibc) (name "glibc-locales") + (replacement #f) (source (origin (inherit (package-source glibc)) (patches (cons (search-patch "glibc-locales.patch") (origin-patches (package-source glibc))= )))) diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm index 1b41feac1..42892bbe8 100644 --- a/gnu/packages/commencement.scm +++ b/gnu/packages/commencement.scm @@ -3,6 +3,7 @@ ;;; Copyright =C2=A9 2014 Andreas Enge ;;; Copyright =C2=A9 2012 Nikita Karetnikov ;;; Copyright =C2=A9 2014, 2015 Mark H Weaver +;;; Copyright =C2=A9 2017 Efraim Flashner ;;; ;;; This file is part of GNU Guix. ;;; @@ -469,6 +470,7 @@ the bootstrap environment." (package-with-bootstrap-guile (package (inherit glibc) (name "glibc-intermediate") + (replacement #f) (arguments `(#:guile ,%bootstrap-guile #:implicit-inputs? #f @@ -540,6 +542,7 @@ the bootstrap environment." that makes it available under the native tool names." (package (inherit gcc) (name (string-append (package-name gcc) "-wrapped")) + (replacement #f) (source #f) (build-system trivial-build-system) (outputs '("out")) @@ -642,6 +645,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~= a \"$@\"~%" ;; The final glibc, which embeds the statically-linked Bash built above. (package (inherit glibc-final-with-bootstrap-bash) (name "glibc") + (replacement #f) (inputs `(("static-bash" ,static-bash-for-glibc) ,@(alist-delete "static-bash" diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366.patch b/gnu/packag= es/patches/glibc-CVE-2017-1000366.patch new file mode 100644 index 000000000..106e81d91 --- /dev/null +++ b/gnu/packages/patches/glibc-CVE-2017-1000366.patch @@ -0,0 +1,33 @@ +From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 19 Jun 2017 17:09:55 +0200 +Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=3D1 + programs [BZ #21624] + +LD_LIBRARY_PATH can only be used to reorder system search paths, which +is not useful functionality. + +This makes an exploitable unbounded alloca in _dl_init_paths unreachable +for AT_SECURE=3D1 programs. +--- + ChangeLog | 7 +++++++ + elf/rtld.c | 3 ++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/elf/rtld.c b/elf/rtld.c +index 2446a87..2269dbe 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep) +=20 + case 12: + /* The library search path. */ +- if (memcmp (envline, "LIBRARY_PATH", 12) =3D=3D 0) ++ if (!__libc_enable_secure ++ && memcmp (envline, "LIBRARY_PATH", 12) =3D=3D 0) + { + library_path =3D &envline[13]; + break; +--=20 +2.9.3 + --=20 2.13.1 --RnlQjJ0d97Da+TV1-- --mojUlQ0s9EVzWg2t Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAllIzGEACgkQQarn3Mo9 g1FzuxAAvRG+ui8M9sxPboaKvsTsgEvulQeZD3+c9un+7v3erEktS9tAw7U4Ka7D DJLZPfHf8GjjaJXWvI2cHbUGBpcUQLUCr+gIndc1ZMCFwdrulf+gLgByH7DK1bAI ArJrNv0mlkDxOa+WZlYBzfmEdYmACmw9gE99cugOb0bfkoHPk68DkqFzakV0a0EO x+xsEgvw4P2Oi3Mp4E4UejEjow/0gQ3fNj+103aV8js1lZ8tgWobqlndK6TXuQ8z 2zQYlTSoyogezL0HAA8cOFH/8q7x3luoziGlZyWKNh1WMgIZKonj0K4Jj8fhBFcw ScuFEQQ8A6bXldIaCynVCw7v+KhtJVtFznPruID+ws3sLNXn6WCAgoMQuahqSYEl h2v702feebC+/PYTGcPXdmEryx+GJ1wIsW/GQZBvD+PplGXuDBfhWrO2CLEGUTih /GO5HzpQZm7/t7zNmHPL37jwbccfWLuKRh6Mw9CRFugb60UfMURAMAQYUt2tg+fd PuSlc2FpYYU2ipneiWas1vrqAyX9HLTFDFDJhISuB7AwFQlkftb/FV4mpt2fegDH PJMeF+38zW4bNXGkKeSL6n7Fs7kOUa2Q9Hyi5TE7t08BhF6ZTb5rnF8kKx51rtrJ Lb5SrSW+8rpi+s8Fn3MDTjAEnrMtNfzOxFrVFwB8RzJs4PvHg9c= =k91r -----END PGP SIGNATURE----- --mojUlQ0s9EVzWg2t--