* bug#27429: Stack clash (CVE-2017-1000366 etc)
@ 2017-06-19 22:25 Leo Famulari
2017-06-19 23:05 ` Leo Famulari
` (4 more replies)
0 siblings, 5 replies; 37+ messages in thread
From: Leo Famulari @ 2017-06-19 22:25 UTC (permalink / raw)
To: 27429
[-- Attachment #1: Type: text/plain, Size: 208 bytes --]
This is a place to discuss the "stack crash" bugs as they apply to our
packages.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-19 22:25 bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
@ 2017-06-19 23:05 ` Leo Famulari
2017-06-20 0:42 ` Leo Famulari
2017-06-20 0:49 ` Leo Famulari
` (3 subsequent siblings)
4 siblings, 1 reply; 37+ messages in thread
From: Leo Famulari @ 2017-06-19 23:05 UTC (permalink / raw)
To: 27429
[-- Attachment #1: Type: text/plain, Size: 483 bytes --]
I'm currently testing the patch for CVE-2017-1000369 in Exim:
https://git.exim.org/exim.git/commit/65e061b76867a9ea7aeeb535341b790b90ae6c21
"To reach the start of the stack with the end of the heap (man brk), we
permanently leak memory through multiple -p command-line arguments that
are malloc()ated by Exim but never free()d (CVE-2017-1000369) -- we call
such a malloc()ated chunk of heap memory a "memleak-chunk"."
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-19 23:05 ` Leo Famulari
@ 2017-06-20 0:42 ` Leo Famulari
0 siblings, 0 replies; 37+ messages in thread
From: Leo Famulari @ 2017-06-20 0:42 UTC (permalink / raw)
To: 27429
[-- Attachment #1: Type: text/plain, Size: 631 bytes --]
On Mon, Jun 19, 2017 at 07:05:10PM -0400, Leo Famulari wrote:
> I'm currently testing the patch for CVE-2017-1000369 in Exim:
>
> https://git.exim.org/exim.git/commit/65e061b76867a9ea7aeeb535341b790b90ae6c21
>
> "To reach the start of the stack with the end of the heap (man brk), we
> permanently leak memory through multiple -p command-line arguments that
> are malloc()ated by Exim but never free()d (CVE-2017-1000369) -- we call
> such a malloc()ated chunk of heap memory a "memleak-chunk"."
>
> https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Pushed as 4dd8d280857607d1ee41ae03c62c5e629ad75c37.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-19 22:25 bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
2017-06-19 23:05 ` Leo Famulari
@ 2017-06-20 0:49 ` Leo Famulari
2017-06-20 7:18 ` Efraim Flashner
2017-06-20 3:31 ` Mark H Weaver
` (2 subsequent siblings)
4 siblings, 1 reply; 37+ messages in thread
From: Leo Famulari @ 2017-06-20 0:49 UTC (permalink / raw)
To: 27429
[-- Attachment #1: Type: text/plain, Size: 762 bytes --]
On the glibc bugs (CVE-2016-1000366), civodul said:
[21:02:26] <civodul> lfam: i *think* GuixSD is immune to the LD_LIBRARY_PATH one, FWIW
[...]
[21:02:43] <civodul> lfam: because of the way is_trusted_path works in glibc
https://gnunet.org/bot/log/guix/2017-06-19#T1422600
Relevant upstream commits:
CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 programs [BZ #21624]
https://sourceware.org/git/?p=glibc.git;a=commit;h=f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d
ld.so: Reject overly long LD_PRELOAD path elements
https://sourceware.org/git/?p=glibc.git;a=commit;h=6d0ba622891bed9d8394eef1935add53003b12e8
ld.so: Reject overly long LD_AUDIT path elements:
https://sourceware.org/git/?p=glibc.git;a=commit;h=81b82fb966ffbd94353f793ad17116c6088dedd9
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-19 22:25 bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
2017-06-19 23:05 ` Leo Famulari
2017-06-20 0:49 ` Leo Famulari
@ 2017-06-20 3:31 ` Mark H Weaver
2017-06-25 9:38 ` bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check Danny Milosavljevic
2017-07-20 15:54 ` bug#27429: Stack clash (CVE-2017-1000366 etc) Ludovic Courtès
4 siblings, 0 replies; 37+ messages in thread
From: Mark H Weaver @ 2017-06-20 3:31 UTC (permalink / raw)
To: Leo Famulari; +Cc: 27429
Leo Famulari <leo@famulari.name> writes:
> This is a place to discuss the "stack crash" bugs as they apply to our
> packages.
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366
> https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
I pushed commit 91c623aae0f10992aa46957b9072679534e4cd28 which adds a
kernel-side mitigation in the form of a larger stack guard gap (1 MiB)
to linux-libre-4.11, 4.9, and 4.4.
4.1 is still vulnerable. So far I've been unable to find a backported
patch for that kernel.
Mark
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-20 0:49 ` Leo Famulari
@ 2017-06-20 7:18 ` Efraim Flashner
2017-06-20 13:16 ` Leo Famulari
2017-06-20 21:44 ` Mark H Weaver
0 siblings, 2 replies; 37+ messages in thread
From: Efraim Flashner @ 2017-06-20 7:18 UTC (permalink / raw)
To: Leo Famulari; +Cc: 27429
[-- Attachment #1.1: Type: text/plain, Size: 1420 bytes --]
On Mon, Jun 19, 2017 at 08:49:20PM -0400, Leo Famulari wrote:
> On the glibc bugs (CVE-2016-1000366), civodul said:
>
> [21:02:26] <civodul> lfam: i *think* GuixSD is immune to the LD_LIBRARY_PATH one, FWIW
> [...]
> [21:02:43] <civodul> lfam: because of the way is_trusted_path works in glibc
>
> https://gnunet.org/bot/log/guix/2017-06-19#T1422600
>
> Relevant upstream commits:
>
> CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 programs [BZ #21624]
> https://sourceware.org/git/?p=glibc.git;a=commit;h=f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d
>
> ld.so: Reject overly long LD_PRELOAD path elements
> https://sourceware.org/git/?p=glibc.git;a=commit;h=6d0ba622891bed9d8394eef1935add53003b12e8
>
> ld.so: Reject overly long LD_AUDIT path elements:
> https://sourceware.org/git/?p=glibc.git;a=commit;h=81b82fb966ffbd94353f793ad17116c6088dedd9
I don't know if this is true or not, but I have a patch here locally
that seems to work against the CVE. I haven't downloaded the other
patches and added them, but with all the '(replacement #f)''s in place
it should just work to add them in to the glibc packages we have.
I'll wait and see before pushing the patch.
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #1.2: 0001-gnu-glibc-Patch-CVE-2017-1000366.patch --]
[-- Type: text/plain, Size: 9266 bytes --]
From 2a83d2a8265314af3d8b16f86187897223567d6e Mon Sep 17 00:00:00 2001
From: Efraim Flashner <efraim@flashner.co.il>
Date: Mon, 19 Jun 2017 23:13:53 +0300
Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
* gnu/packages/base.scm (glibc)[replacement]: New field.
(glibc-2.25-fixed): New variable.
(glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patch.
[replacement]: New field.
(glibc-locales)[replacement]: New field.
* gnu/packages/commencement.scm (glibc-final-with-bootstrap-bash,
cross-gcc-wrapper, glibc-final)[replacement]: New field.
* gnu/packages/patches/glibc-CVE-2017-1000366.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
---
gnu/local.mk | 1 +
gnu/packages/base.scm | 39 +++++++++++++++++++----
gnu/packages/commencement.scm | 4 +++
gnu/packages/patches/glibc-CVE-2017-1000366.patch | 33 +++++++++++++++++++
4 files changed, 71 insertions(+), 6 deletions(-)
create mode 100644 gnu/packages/patches/glibc-CVE-2017-1000366.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index ae4a59af0..6b598335b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -632,6 +632,7 @@ dist_patch_DATA = \
%D%/packages/patches/ghostscript-runpath.patch \
%D%/packages/patches/glib-networking-ssl-cert-file.patch \
%D%/packages/patches/glib-tests-timer.patch \
+ %D%/packages/patches/glibc-CVE-2017-1000366.patch \
%D%/packages/patches/glibc-bootstrap-system.patch \
%D%/packages/patches/glibc-ldd-x86_64.patch \
%D%/packages/patches/glibc-locales.patch \
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index d135a18bf..fe066edcd 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -5,7 +5,7 @@
;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014 Alex Kost <alezost@gmail.com>
;;; Copyright © 2014, 2015 Manolis Fragkiskos Ragkousis <manolis837@gmail.com>
-;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;;
@@ -558,6 +558,7 @@ store.")
(package
(name "glibc")
(version "2.25")
+ (replacement glibc-2.25-patched)
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/glibc/glibc-"
@@ -904,34 +905,56 @@ GLIBC/HURD for a Hurd host"
;; Below are old libc versions, which we use mostly to build locale data in
;; the old format (which the new libc cannot cope with.)
+(define glibc-2.25-patched
+ (package
+ (inherit glibc)
+ (replacement #f)
+ (source (origin
+ (inherit (package-source glibc))
+ (patches (search-patches "glibc-CVE-2017-1000366.patch"
+ "glibc-ldd-x86_64.patch"
+ "glibc-versioned-locpath.patch"
+ "glibc-o-largefile.patch"))))))
+
(define-public glibc-2.24
(package
(inherit glibc)
(version "2.24")
+ (replacement #f)
(source (origin
(inherit (package-source glibc))
(uri (string-append "mirror://gnu/glibc/glibc-"
version ".tar.xz"))
(sha256
(base32
- "1lxmprg9gm73gvafxd503x70z32phwjzcy74i0adfi6ixzla7m4r"))))))
+ "1lxmprg9gm73gvafxd503x70z32phwjzcy74i0adfi6ixzla7m4r"))
+ (patches (search-patches "glibc-CVE-2017-1000366.patch"
+ "glibc-ldd-x86_64.patch"
+ "glibc-versioned-locpath.patch"
+ "glibc-o-largefile.patch"))))))
(define-public glibc-2.23
(package
(inherit glibc)
(version "2.23")
+ (replacement #f)
(source (origin
(inherit (package-source glibc))
(uri (string-append "mirror://gnu/glibc/glibc-"
version ".tar.xz"))
(sha256
(base32
- "1s8krs3y2n6pzav7ic59dz41alqalphv7vww4138ag30wh0fpvwl"))))))
+ "1s8krs3y2n6pzav7ic59dz41alqalphv7vww4138ag30wh0fpvwl"))
+ (patches (search-patches "glibc-CVE-2017-1000366.patch"
+ "glibc-ldd-x86_64.patch"
+ "glibc-versioned-locpath.patch"
+ "glibc-o-largefile.patch"))))))
(define-public glibc-2.22
(package
(inherit glibc)
(version "2.22")
+ (replacement #f)
(source (origin
(inherit (package-source glibc))
(uri (string-append "mirror://gnu/glibc/glibc-"
@@ -939,7 +962,8 @@ GLIBC/HURD for a Hurd host"
(sha256
(base32
"0j49682pm2nh4qbdw35bas82p1pgfnz4d2l7iwfyzvrvj0318wzb"))
- (patches (search-patches "glibc-ldd-x86_64.patch"))))
+ (patches (search-patches "glibc-CVE-2017-1000366.patch"
+ "glibc-ldd-x86_64.patch"))))
(arguments
(substitute-keyword-arguments (package-arguments glibc)
((#:phases phases)
@@ -948,7 +972,8 @@ GLIBC/HURD for a Hurd host"
(lambda _
;; Use `pwd' instead of `/bin/pwd' for glibc-2.21
(substitute* "configure"
- (("/bin/pwd") "pwd"))))))))))
+ (("/bin/pwd") "pwd"))
+ #t))))))))
(define-public glibc-2.21
(package
@@ -961,12 +986,14 @@ GLIBC/HURD for a Hurd host"
(sha256
(base32
"1f135546j34s9bfkydmx2nhh9vwxlx60jldi80zmsnln6wj3dsxf"))
- (patches (search-patches "glibc-ldd-x86_64.patch"))))))
+ (patches (search-patches "glibc-CVE-2017-1000366.patch"
+ "glibc-ldd-x86_64.patch"))))))
(define-public glibc-locales
(package
(inherit glibc)
(name "glibc-locales")
+ (replacement #f)
(source (origin (inherit (package-source glibc))
(patches (cons (search-patch "glibc-locales.patch")
(origin-patches (package-source glibc))))))
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index 1b41feac1..42892bbe8 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2014 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -469,6 +470,7 @@ the bootstrap environment."
(package-with-bootstrap-guile
(package (inherit glibc)
(name "glibc-intermediate")
+ (replacement #f)
(arguments
`(#:guile ,%bootstrap-guile
#:implicit-inputs? #f
@@ -540,6 +542,7 @@ the bootstrap environment."
that makes it available under the native tool names."
(package (inherit gcc)
(name (string-append (package-name gcc) "-wrapped"))
+ (replacement #f)
(source #f)
(build-system trivial-build-system)
(outputs '("out"))
@@ -642,6 +645,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
;; The final glibc, which embeds the statically-linked Bash built above.
(package (inherit glibc-final-with-bootstrap-bash)
(name "glibc")
+ (replacement #f)
(inputs `(("static-bash" ,static-bash-for-glibc)
,@(alist-delete
"static-bash"
diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366.patch b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
new file mode 100644
index 000000000..106e81d91
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
@@ -0,0 +1,33 @@
+From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 19 Jun 2017 17:09:55 +0200
+Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
+ programs [BZ #21624]
+
+LD_LIBRARY_PATH can only be used to reorder system search paths, which
+is not useful functionality.
+
+This makes an exploitable unbounded alloca in _dl_init_paths unreachable
+for AT_SECURE=1 programs.
+---
+ ChangeLog | 7 +++++++
+ elf/rtld.c | 3 ++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 2446a87..2269dbe 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep)
+
+ case 12:
+ /* The library search path. */
+- if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
++ if (!__libc_enable_secure
++ && memcmp (envline, "LIBRARY_PATH", 12) == 0)
+ {
+ library_path = &envline[13];
+ break;
+--
+2.9.3
+
--
2.13.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply related [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-20 7:18 ` Efraim Flashner
@ 2017-06-20 13:16 ` Leo Famulari
2017-06-20 21:44 ` Mark H Weaver
1 sibling, 0 replies; 37+ messages in thread
From: Leo Famulari @ 2017-06-20 13:16 UTC (permalink / raw)
To: Efraim Flashner; +Cc: 27429
[-- Attachment #1: Type: text/plain, Size: 1916 bytes --]
On Tue, Jun 20, 2017 at 10:18:57AM +0300, Efraim Flashner wrote:
> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
>
> * gnu/packages/base.scm (glibc)[replacement]: New field.
> (glibc-2.25-fixed): New variable.
> (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patch.
> [replacement]: New field.
> (glibc-locales)[replacement]: New field.
> * gnu/packages/commencement.scm (glibc-final-with-bootstrap-bash,
> cross-gcc-wrapper, glibc-final)[replacement]: New field.
> * gnu/packages/patches/glibc-CVE-2017-1000366.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
I'm not sure which glibc packages should be grafted and which should
not. But this patch doesn't seem to have an effect for me. With the
patch applied:
$ ./pre-inst-env guix build glibc
/gnu/store/d13m5axwk9vra6r50rq5wlmvi4vmlfcf-glibc-2.25-debug
/gnu/store/yk29yl8088c8qbj2259mf3879r107dsa-glibc-2.25
$ guix gc --references $(./pre-inst-env guix build gnupg)
/gnu/store/3qz6h4fgjn7n0p6vhqbk0lpv6pil0gr7-pcsc-lite-1.8.22
/gnu/store/5c9hjca0fjn0wq0ycx3b1zzza1ra6crq-npth-1.4
/gnu/store/a8p0j9m2i9jh8pczv2rp4bvmidi026d1-libassuan-2.4.3
/gnu/store/dcc4b6r7npjmhdsah1g6nw1j9wdy635y-sqlite-3.17.0
/gnu/store/dhc2iy059hi91fk55dcv79z09kp6500y-gcc-5.4.0-lib
/gnu/store/g5iwy1hp055y3aipasfxnh7dfnigzi82-gnupg-2.1.21
/gnu/store/hag795ji8p9vqikwp8cibfibpsa39s3n-libgcrypt-1.7.6
/gnu/store/j92kxc1l8h879cc4ss1gbhsq73ddnbsg-libgpg-error-1.26
/gnu/store/jsflzpi7pnc7m5p7cln8bjcma4lsi6hd-gnutls-3.5.D
/gnu/store/jwkcd7siv6fcyl0qsg607bg9c8ap0gqr-zlib-1.2.11
/gnu/store/k7029k5va68lkapbzcycdzj7m5bjb4b8-bash-4.4.12
/gnu/store/rmjlycdgiq8pfy5hfi42qhw3k7p6kdav-glibc-2.25
/gnu/store/sjm2c0dymn3mjl7g0jqbjdbibnqh0iaw-readline-7.0
/gnu/store/xa7q8aspczcmvh0hqyy790mwzgwmfwr3-openldap-2.4.44
/gnu/store/z0xz1z70rwp273chi1gyb9cxzblylzba-libksba-1.3.5
The grafted glibc doesn't appear to be referenced.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-20 7:18 ` Efraim Flashner
2017-06-20 13:16 ` Leo Famulari
@ 2017-06-20 21:44 ` Mark H Weaver
2017-06-21 8:41 ` Efraim Flashner
1 sibling, 1 reply; 37+ messages in thread
From: Mark H Weaver @ 2017-06-20 21:44 UTC (permalink / raw)
To: Efraim Flashner; +Cc: 27429
Hi Efraim,
Thanks so much for working on this!
Grafting glibc is something we haven't done before to my knowledge, and
it is a bit tricky because of all of the inherited versions of glibc.
At present, those inherited versions are not expressed in such a way to
make grafting work.
One important tool is the 'package/inherit' macro, which I added to
(guix packages) in early May to facilitate another graft. In order to
graft 'glibc' properly, we'll first need to use 'package/inherit' in a
couple of places, I think.
Efraim Flashner <efraim@flashner.co.il> writes:
> From 2a83d2a8265314af3d8b16f86187897223567d6e Mon Sep 17 00:00:00 2001
> From: Efraim Flashner <efraim@flashner.co.il>
> Date: Mon, 19 Jun 2017 23:13:53 +0300
> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
>
> * gnu/packages/base.scm (glibc)[replacement]: New field.
Please write (glibc/linux) instead of (glibc) above, since that's the
variable whose definition is being changed.
See below for more comments.
> (glibc-2.25-fixed): New variable.
> (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patch.
> [replacement]: New field.
> (glibc-locales)[replacement]: New field.
> * gnu/packages/commencement.scm (glibc-final-with-bootstrap-bash,
> cross-gcc-wrapper, glibc-final)[replacement]: New field.
> * gnu/packages/patches/glibc-CVE-2017-1000366.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> ---
> gnu/local.mk | 1 +
> gnu/packages/base.scm | 39 +++++++++++++++++++----
> gnu/packages/commencement.scm | 4 +++
> gnu/packages/patches/glibc-CVE-2017-1000366.patch | 33 +++++++++++++++++++
> 4 files changed, 71 insertions(+), 6 deletions(-)
> create mode 100644 gnu/packages/patches/glibc-CVE-2017-1000366.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index ae4a59af0..6b598335b 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -632,6 +632,7 @@ dist_patch_DATA = \
> %D%/packages/patches/ghostscript-runpath.patch \
> %D%/packages/patches/glib-networking-ssl-cert-file.patch \
> %D%/packages/patches/glib-tests-timer.patch \
> + %D%/packages/patches/glibc-CVE-2017-1000366.patch \
> %D%/packages/patches/glibc-bootstrap-system.patch \
> %D%/packages/patches/glibc-ldd-x86_64.patch \
> %D%/packages/patches/glibc-locales.patch \
Your changes to (gnu packages base) look good to me, so I've omitted
them. In particular, you are right to add (replacement #f) in the
places where you've done so.
> diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
> index 1b41feac1..42892bbe8 100644
> --- a/gnu/packages/commencement.scm
> +++ b/gnu/packages/commencement.scm
> @@ -3,6 +3,7 @@
> ;;; Copyright © 2014 Andreas Enge <andreas@enge.fr>
> ;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
> ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
> +;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -469,6 +470,7 @@ the bootstrap environment."
> (package-with-bootstrap-guile
> (package (inherit glibc)
> (name "glibc-intermediate")
> + (replacement #f)
> (arguments
> `(#:guile ,%bootstrap-guile
> #:implicit-inputs? #f
> @@ -540,6 +542,7 @@ the bootstrap environment."
> that makes it available under the native tool names."
> (package (inherit gcc)
> (name (string-append (package-name gcc) "-wrapped"))
> + (replacement #f)
> (source #f)
> (build-system trivial-build-system)
> (outputs '("out"))
> @@ -642,6 +645,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
> ;; The final glibc, which embeds the statically-linked Bash built above.
> (package (inherit glibc-final-with-bootstrap-bash)
> (name "glibc")
> + (replacement #f)
> (inputs `(("static-bash" ,static-bash-for-glibc)
> ,@(alist-delete
> "static-bash"
The problem here is that almost all of the software in Guix is linked
against glibc-final, and you've suppressed the replacement for it. This
is where the 'package/inherit' macro becomes useful.
I think we need to enable grafting for both
'glibc-final-with-bootstrap-bash' and 'glibc-final', by replacing
(package (inherit GLIBC-FOO)
...)
with:
(package/inherit GLIBC-FOO
...)
and remove the (replacement #f) override from those two packages,
because 'package/inherit' will implicitly override 'replacement' as
appropriate.
Would you like to try this?
> diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366.patch b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
> new file mode 100644
> index 000000000..106e81d91
> --- /dev/null
> +++ b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
> @@ -0,0 +1,33 @@
> +From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001
> +From: Florian Weimer <fweimer@redhat.com>
> +Date: Mon, 19 Jun 2017 17:09:55 +0200
> +Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
> + programs [BZ #21624]
> +
> +LD_LIBRARY_PATH can only be used to reorder system search paths, which
> +is not useful functionality.
> +
> +This makes an exploitable unbounded alloca in _dl_init_paths unreachable
> +for AT_SECURE=1 programs.
> +---
> + ChangeLog | 7 +++++++
> + elf/rtld.c | 3 ++-
> + 2 files changed, 9 insertions(+), 1 deletion(-)
> +
> +diff --git a/elf/rtld.c b/elf/rtld.c
> +index 2446a87..2269dbe 100644
> +--- a/elf/rtld.c
> ++++ b/elf/rtld.c
> +@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep)
> +
> + case 12:
> + /* The library search path. */
> +- if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
> ++ if (!__libc_enable_secure
> ++ && memcmp (envline, "LIBRARY_PATH", 12) == 0)
> + {
> + library_path = &envline[13];
> + break;
> +--
> +2.9.3
> +
What about the other two patches? Namely, quoting Leo:
> ld.so: Reject overly long LD_PRELOAD path elements
> https://sourceware.org/git/?p=glibc.git;a=commit;h=6d0ba622891bed9d8394eef1935add53003b12e8
>
> ld.so: Reject overly long LD_AUDIT path elements:
> https://sourceware.org/git/?p=glibc.git;a=commit;h=81b82fb966ffbd94353f793ad17116c6088dedd9
One more thing: since this grafting of 'glibc' is unprecedented and has
the potential for breakage, I think it should be tested as follows:
someone running GuixSD should reconfigure their entire system using the
grafted 'glibc', and they should boot into it to make sure nothing
obvious is broken, before we commit.
Also, we should check the references and make sure that the fixed glibc
is actually being used.
Thank you!
Mark
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-20 21:44 ` Mark H Weaver
@ 2017-06-21 8:41 ` Efraim Flashner
2017-06-21 9:50 ` Efraim Flashner
0 siblings, 1 reply; 37+ messages in thread
From: Efraim Flashner @ 2017-06-21 8:41 UTC (permalink / raw)
To: Mark H Weaver; +Cc: 27429
[-- Attachment #1.1: Type: text/plain, Size: 12494 bytes --]
On Tue, Jun 20, 2017 at 05:44:42PM -0400, Mark H Weaver wrote:
> Hi Efraim,
>
> Thanks so much for working on this!
>
> Grafting glibc is something we haven't done before to my knowledge, and
> it is a bit tricky because of all of the inherited versions of glibc.
> At present, those inherited versions are not expressed in such a way to
> make grafting work.
>
> One important tool is the 'package/inherit' macro, which I added to
> (guix packages) in early May to facilitate another graft. In order to
> graft 'glibc' properly, we'll first need to use 'package/inherit' in a
> couple of places, I think.
>
I like your optimism :)
> Efraim Flashner <efraim@flashner.co.il> writes:
>
> > From 2a83d2a8265314af3d8b16f86187897223567d6e Mon Sep 17 00:00:00 2001
> > From: Efraim Flashner <efraim@flashner.co.il>
> > Date: Mon, 19 Jun 2017 23:13:53 +0300
> > Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
> >
> > * gnu/packages/base.scm (glibc)[replacement]: New field.
>
> Please write (glibc/linux) instead of (glibc) above, since that's the
> variable whose definition is being changed.
noted
>
> See below for more comments.
>
> > (glibc-2.25-fixed): New variable.
> > (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patch.
> > [replacement]: New field.
> > (glibc-locales)[replacement]: New field.
> > * gnu/packages/commencement.scm (glibc-final-with-bootstrap-bash,
> > cross-gcc-wrapper, glibc-final)[replacement]: New field.
> > * gnu/packages/patches/glibc-CVE-2017-1000366.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > ---
> > gnu/local.mk | 1 +
> > gnu/packages/base.scm | 39 +++++++++++++++++++----
> > gnu/packages/commencement.scm | 4 +++
> > gnu/packages/patches/glibc-CVE-2017-1000366.patch | 33 +++++++++++++++++++
> > 4 files changed, 71 insertions(+), 6 deletions(-)
> > create mode 100644 gnu/packages/patches/glibc-CVE-2017-1000366.patch
> >
> > diff --git a/gnu/local.mk b/gnu/local.mk
> > index ae4a59af0..6b598335b 100644
> > --- a/gnu/local.mk
> > +++ b/gnu/local.mk
> > @@ -632,6 +632,7 @@ dist_patch_DATA = \
> > %D%/packages/patches/ghostscript-runpath.patch \
> > %D%/packages/patches/glib-networking-ssl-cert-file.patch \
> > %D%/packages/patches/glib-tests-timer.patch \
> > + %D%/packages/patches/glibc-CVE-2017-1000366.patch \
> > %D%/packages/patches/glibc-bootstrap-system.patch \
> > %D%/packages/patches/glibc-ldd-x86_64.patch \
> > %D%/packages/patches/glibc-locales.patch \
>
> Your changes to (gnu packages base) look good to me, so I've omitted
> them. In particular, you are right to add (replacement #f) in the
> places where you've done so.
>
> > diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
> > index 1b41feac1..42892bbe8 100644
> > --- a/gnu/packages/commencement.scm
> > +++ b/gnu/packages/commencement.scm
> > @@ -3,6 +3,7 @@
> > ;;; Copyright © 2014 Andreas Enge <andreas@enge.fr>
> > ;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
> > ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
> > +;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
> > ;;;
> > ;;; This file is part of GNU Guix.
> > ;;;
> > @@ -469,6 +470,7 @@ the bootstrap environment."
> > (package-with-bootstrap-guile
> > (package (inherit glibc)
> > (name "glibc-intermediate")
> > + (replacement #f)
> > (arguments
> > `(#:guile ,%bootstrap-guile
> > #:implicit-inputs? #f
> > @@ -540,6 +542,7 @@ the bootstrap environment."
> > that makes it available under the native tool names."
> > (package (inherit gcc)
> > (name (string-append (package-name gcc) "-wrapped"))
> > + (replacement #f)
> > (source #f)
> > (build-system trivial-build-system)
> > (outputs '("out"))
> > @@ -642,6 +645,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
> > ;; The final glibc, which embeds the statically-linked Bash built above.
> > (package (inherit glibc-final-with-bootstrap-bash)
> > (name "glibc")
> > + (replacement #f)
> > (inputs `(("static-bash" ,static-bash-for-glibc)
> > ,@(alist-delete
> > "static-bash"
>
> The problem here is that almost all of the software in Guix is linked
> against glibc-final, and you've suppressed the replacement for it. This
> is where the 'package/inherit' macro becomes useful.
>
> I think we need to enable grafting for both
> 'glibc-final-with-bootstrap-bash' and 'glibc-final', by replacing
>
> (package (inherit GLIBC-FOO)
> ...)
>
> with:
>
> (package/inherit GLIBC-FOO
> ...)
>
> and remove the (replacement #f) override from those two packages,
> because 'package/inherit' will implicitly override 'replacement' as
> appropriate.
>
> Would you like to try this?
I haven't looked closely at this part of the code yet so its like magic
to me still.
>
> > diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366.patch b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
> > new file mode 100644
> > index 000000000..106e81d91
> > --- /dev/null
> > +++ b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
> > @@ -0,0 +1,33 @@
> > +From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001
> > +From: Florian Weimer <fweimer@redhat.com>
> > +Date: Mon, 19 Jun 2017 17:09:55 +0200
> > +Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
> > + programs [BZ #21624]
> > +
> > +LD_LIBRARY_PATH can only be used to reorder system search paths, which
> > +is not useful functionality.
> > +
> > +This makes an exploitable unbounded alloca in _dl_init_paths unreachable
> > +for AT_SECURE=1 programs.
> > +---
> > + ChangeLog | 7 +++++++
> > + elf/rtld.c | 3 ++-
> > + 2 files changed, 9 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/elf/rtld.c b/elf/rtld.c
> > +index 2446a87..2269dbe 100644
> > +--- a/elf/rtld.c
> > ++++ b/elf/rtld.c
> > +@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep)
> > +
> > + case 12:
> > + /* The library search path. */
> > +- if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
> > ++ if (!__libc_enable_secure
> > ++ && memcmp (envline, "LIBRARY_PATH", 12) == 0)
> > + {
> > + library_path = &envline[13];
> > + break;
> > +--
> > +2.9.3
> > +
>
> What about the other two patches? Namely, quoting Leo:
>
> > ld.so: Reject overly long LD_PRELOAD path elements
> > https://sourceware.org/git/?p=glibc.git;a=commit;h=6d0ba622891bed9d8394eef1935add53003b12e8
> >
> > ld.so: Reject overly long LD_AUDIT path elements:
> > https://sourceware.org/git/?p=glibc.git;a=commit;h=81b82fb966ffbd94353f793ad17116c6088dedd9
now added
>
> One more thing: since this grafting of 'glibc' is unprecedented and has
> the potential for breakage, I think it should be tested as follows:
> someone running GuixSD should reconfigure their entire system using the
> grafted 'glibc', and they should boot into it to make sure nothing
> obvious is broken, before we commit.
>
> Also, we should check the references and make sure that the fixed glibc
> is actually being used.
>
> Thank you!
>
> Mark
After making the changes I built glibc, by which I mean I built at least
gettext-boot0, glibc-final, perl, glibc, expat, and probably a bit more.
On my 10 year old laptop it took about 2 hours.
@ build-succeeded /gnu/store/974hryqa5fprrymyjkmcfrzn3qmv0dgq-glibc-2.25.drv -
/gnu/store/kczijfli8cb0qjyrfzbrd06bdrpic7lx-glibc-2.25-debug
/gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25
real 125m16.297s
user 0m32.896s
sys 0m3.840s
efraim@macbook42:~/workspace/guix$ guix gc --references /gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25/
/gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25
/gnu/store/946hwcxnd9w13gyqprs0fzkmyyz4hdar-bash-static-4.4.12
/gnu/store/n4fmp3fj1yam5ijwa64irg7glvzsq4i1-bash-4.4.12
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25o
This doubling of glibc, bash and bash-static is the same as I got from
'guix gc --references $(./pre-inst-env guix build glibc)' on another machine
efraim@macbook42:~/workspace/guix$ guix gc --references /gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25/
/gnu/store/02426nwiy32cscm4h83729vn5ws1gs2i-bash-static-4.4.12
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
efraim@macbook42:~/workspace/guix$ ./pre-inst-env guix build --fallback -e '(@@ (gnu packages commencement) glibc-final)'
;;; note: source file /home/efraim/workspace/guix/gnu/packages/commencement.scm
;;; newer than compiled /home/efraim/workspace/guix/gnu/packages/commencement.go
;;; note: source file /home/efraim/workspace/guix/gnu/packages/base.scm
;;; newer than compiled /home/efraim/workspace/guix/gnu/packages/base.go
/gnu/store/kbp13s4y4mbzww7vvld33di28im94xfi-glibc-2.25-debug
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
efraim@macbook42:~/workspace/guix$ ./pre-inst-env guix build --fallback python
...snip...
grafting '/gnu/store/3aw9x28la9nh8fzkm665d7fywxzbl15j-python-3.5.3' -> '/gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3'...
grafting '/gnu/store/9bv7jbk734bsk5zacq23wzp60xz06xs6-python-3.5.3-tk' -> '/gnu/store/7hgx1fw4kyc41c5dj963z2d1nsmdli6z-python-3.5.3-tk'...
@ build-succeeded /gnu/store/pymxw6dzibylr5qwhdxzc7il0h07kk9z-python-3.5.3.drv -
/gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3
/gnu/store/7hgx1fw4kyc41c5dj963z2d1nsmdli6z-python-3.5.3-tk
efraim@macbook42:~/workspace/guix$ guix gc --references $(./pre-inst-env guix build python)
;;; note: source file /home/efraim/workspace/guix/gnu/packages/base.scm
;;; newer than compiled /home/efraim/workspace/guix/gnu/packages/base.go
;;; note: source file /home/efraim/workspace/guix/gnu/packages/commencement.scm
;;; newer than compiled /home/efraim/workspace/guix/gnu/packages/commencement.go
/gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3
/gnu/store/7v66jlv8y005p2z5754jc1c6xf3rqybh-tk-8.6.6
/gnu/store/hiaxc08awfb6ygpssmlki8sjsxjcak5z-tcl-8.6.6
/gnu/store/p8k2id55pynzjmaixlns94phvr7mz5ls-gcc-5.4.0-lib
/gnu/store/smddwh4gb0bf50js321vm88pvjlcfx04-libx11-1.6.5
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
/gnu/store/328cimicdjz4w6hr0z7fzvcr9j6ijjvg-readline-7.0
/gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3
/gnu/store/8zhlrp7mq6ibmda8n530xn3ym6l3zhyq-openssl-1.0.2k
/gnu/store/alygmq7pjlrwchpyi4ycxx0w6qgg8kfx-ncurses-6.0
/gnu/store/fd8d47zyhv6m0adv9w2lawhajav3s3ww-xz-5.2.2
/gnu/store/mmmv339r8ymx4fabffzwadjasfc0a5lx-zlib-1.2.11
/gnu/store/n4fmp3fj1yam5ijwa64irg7glvzsq4i1-bash-4.4.12
/gnu/store/nk2f8advrn50jmx0gx24lkqqjswgy0bj-coreutils-8.26
/gnu/store/p8k2id55pynzjmaixlns94phvr7mz5ls-gcc-5.4.0-lib
/gnu/store/pwhhnz4mjky9l3mdswybsgsgl74k7qb9-sqlite-3.17.0
/gnu/store/wcrf85ndv977kky8fazvgbjaybgz758j-libffi-3.2.1
/gnu/store/y6mlqxch93asizcni9f50y4r1y48wbgj-gdbm-1.12
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
efraim@macbook42:~/workspace/guix$ guix gc --references /gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3/
/gnu/store/328cimicdjz4w6hr0z7fzvcr9j6ijjvg-readline-7.0
/gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3
/gnu/store/8zhlrp7mq6ibmda8n530xn3ym6l3zhyq-openssl-1.0.2k
/gnu/store/alygmq7pjlrwchpyi4ycxx0w6qgg8kfx-ncurses-6.0
/gnu/store/fd8d47zyhv6m0adv9w2lawhajav3s3ww-xz-5.2.2
/gnu/store/mmmv339r8ymx4fabffzwadjasfc0a5lx-zlib-1.2.11
/gnu/store/n4fmp3fj1yam5ijwa64irg7glvzsq4i1-bash-4.4.12
/gnu/store/nk2f8advrn50jmx0gx24lkqqjswgy0bj-coreutils-8.26
/gnu/store/p8k2id55pynzjmaixlns94phvr7mz5ls-gcc-5.4.0-lib
/gnu/store/pwhhnz4mjky9l3mdswybsgsgl74k7qb9-sqlite-3.17.0
/gnu/store/wcrf85ndv977kky8fazvgbjaybgz758j-libffi-3.2.1
/gnu/store/y6mlqxch93asizcni9f50y4r1y48wbgj-gdbm-1.12
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
So to me it looks like its working.
Anyone want to try reconfiguring their system to make sure it doesn't
break GuixSD? :)
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #1.2: 0001-gnu-glibc-Patch-CVE-2017-1000366.patch --]
[-- Type: text/plain, Size: 23103 bytes --]
From 3ca1693715648ac23fd35f8246a3f1d5afd6ce34 Mon Sep 17 00:00:00 2001
From: Efraim Flashner <efraim@flashner.co.il>
Date: Mon, 19 Jun 2017 23:13:53 +0300
Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
* gnu/packages/base.scm (glibc/linux)[replacement]: New field.
(glibc-2.25-fixed): New variable.
(glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patches.
[replacement]: New field.
(glibc-locales)[replacement]: New field.
* gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New field.
* gnu/packages/patches/glibc-CVE-2017-1000366.patch,
gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch,
gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
---
gnu/local.mk | 5 +-
gnu/packages/base.scm | 47 ++++-
gnu/packages/commencement.scm | 6 +-
gnu/packages/patches/glibc-CVE-2017-1000366.patch | 36 ++++
.../patches/glibc-reject-long-LD-AUDIT.patch | 206 +++++++++++++++++++++
.../patches/glibc-reject-long-LD-PRELOAD.patch | 124 +++++++++++++
6 files changed, 414 insertions(+), 10 deletions(-)
create mode 100644 gnu/packages/patches/glibc-CVE-2017-1000366.patch
create mode 100644 gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch
create mode 100644 gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index f0eed694d..d4d6c1c25 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -631,11 +631,14 @@ dist_patch_DATA = \
%D%/packages/patches/ghostscript-runpath.patch \
%D%/packages/patches/glib-networking-ssl-cert-file.patch \
%D%/packages/patches/glib-tests-timer.patch \
+ %D%/packages/patches/glibc-CVE-2017-1000366.patch \
%D%/packages/patches/glibc-bootstrap-system.patch \
%D%/packages/patches/glibc-ldd-x86_64.patch \
%D%/packages/patches/glibc-locales.patch \
%D%/packages/patches/glibc-memchr-overflow-i686.patch \
%D%/packages/patches/glibc-o-largefile.patch \
+ %D%/packages/patches/glibc-reject-long-LD-AUDIT.patch \
+ %D%/packages/patches/glibc-reject-long-LD-PRELOAD.patch \
%D%/packages/patches/glibc-versioned-locpath.patch \
%D%/packages/patches/glog-gcc-5-demangling.patch \
%D%/packages/patches/gmp-arm-asm-nothumb.patch \
@@ -657,7 +660,7 @@ dist_patch_DATA = \
%D%/packages/patches/guile-present-coding.patch \
%D%/packages/patches/guile-relocatable.patch \
%D%/packages/patches/guile-rsvg-pkgconfig.patch \
- gnu/packages/patches/guile-ssh-channel-finalization.patch \
+ %D%/packages/patches/guile-ssh-channel-finalization.patch \
%D%/packages/patches/guile-ssh-double-free.patch \
%D%/packages/patches/guile-ssh-rexec-bug.patch \
%D%/packages/patches/gtk2-respect-GUIX_GTK2_PATH.patch \
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index d135a18bf..47838d89b 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -5,7 +5,7 @@
;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014 Alex Kost <alezost@gmail.com>
;;; Copyright © 2014, 2015 Manolis Fragkiskos Ragkousis <manolis837@gmail.com>
-;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;;
@@ -558,6 +558,7 @@ store.")
(package
(name "glibc")
(version "2.25")
+ (replacement glibc-2.25-patched)
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/glibc/glibc-"
@@ -904,34 +905,62 @@ GLIBC/HURD for a Hurd host"
;; Below are old libc versions, which we use mostly to build locale data in
;; the old format (which the new libc cannot cope with.)
+(define glibc-2.25-patched
+ (package
+ (inherit glibc)
+ (replacement #f)
+ (source (origin
+ (inherit (package-source glibc))
+ (patches (search-patches "glibc-CVE-2017-1000366.patch"
+ "glibc-ldd-x86_64.patch"
+ "glibc-versioned-locpath.patch"
+ "glibc-o-largefile.patch"
+ "glibc-reject-long-LD-AUDIT.patch"
+ "glibc-reject-long-LD-PRELOAD.patch"))))))
+
(define-public glibc-2.24
(package
(inherit glibc)
(version "2.24")
+ (replacement #f)
(source (origin
(inherit (package-source glibc))
(uri (string-append "mirror://gnu/glibc/glibc-"
version ".tar.xz"))
(sha256
(base32
- "1lxmprg9gm73gvafxd503x70z32phwjzcy74i0adfi6ixzla7m4r"))))))
+ "1lxmprg9gm73gvafxd503x70z32phwjzcy74i0adfi6ixzla7m4r"))
+ (patches (search-patches "glibc-CVE-2017-1000366.patch"
+ "glibc-ldd-x86_64.patch"
+ "glibc-versioned-locpath.patch"
+ "glibc-o-largefile.patch"
+ "glibc-reject-long-LD-AUDIT.patch"
+ "glibc-reject-long-LD-PRELOAD.patch"))))))
(define-public glibc-2.23
(package
(inherit glibc)
(version "2.23")
+ (replacement #f)
(source (origin
(inherit (package-source glibc))
(uri (string-append "mirror://gnu/glibc/glibc-"
version ".tar.xz"))
(sha256
(base32
- "1s8krs3y2n6pzav7ic59dz41alqalphv7vww4138ag30wh0fpvwl"))))))
+ "1s8krs3y2n6pzav7ic59dz41alqalphv7vww4138ag30wh0fpvwl"))
+ (patches (search-patches "glibc-CVE-2017-1000366.patch"
+ "glibc-ldd-x86_64.patch"
+ "glibc-versioned-locpath.patch"
+ "glibc-o-largefile.patch"
+ "glibc-reject-long-LD-AUDIT.patch"
+ "glibc-reject-long-LD-PRELOAD.patch"))))))
(define-public glibc-2.22
(package
(inherit glibc)
(version "2.22")
+ (replacement #f)
(source (origin
(inherit (package-source glibc))
(uri (string-append "mirror://gnu/glibc/glibc-"
@@ -939,7 +968,10 @@ GLIBC/HURD for a Hurd host"
(sha256
(base32
"0j49682pm2nh4qbdw35bas82p1pgfnz4d2l7iwfyzvrvj0318wzb"))
- (patches (search-patches "glibc-ldd-x86_64.patch"))))
+ (patches (search-patches "glibc-CVE-2017-1000366.patch"
+ "glibc-ldd-x86_64.patch"
+ "glibc-reject-long-LD-AUDIT.patch"
+ "glibc-reject-long-LD-PRELOAD.patch"))))
(arguments
(substitute-keyword-arguments (package-arguments glibc)
((#:phases phases)
@@ -948,7 +980,8 @@ GLIBC/HURD for a Hurd host"
(lambda _
;; Use `pwd' instead of `/bin/pwd' for glibc-2.21
(substitute* "configure"
- (("/bin/pwd") "pwd"))))))))))
+ (("/bin/pwd") "pwd"))
+ #t))))))))
(define-public glibc-2.21
(package
@@ -960,13 +993,13 @@ GLIBC/HURD for a Hurd host"
version ".tar.xz"))
(sha256
(base32
- "1f135546j34s9bfkydmx2nhh9vwxlx60jldi80zmsnln6wj3dsxf"))
- (patches (search-patches "glibc-ldd-x86_64.patch"))))))
+ "1f135546j34s9bfkydmx2nhh9vwxlx60jldi80zmsnln6wj3dsxf"))))))
(define-public glibc-locales
(package
(inherit glibc)
(name "glibc-locales")
+ (replacement #f)
(source (origin (inherit (package-source glibc))
(patches (cons (search-patch "glibc-locales.patch")
(origin-patches (package-source glibc))))))
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index 1b41feac1..eea246756 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2014 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -467,7 +468,7 @@ the bootstrap environment."
;; built just below; the only difference is that this one uses the
;; bootstrap Bash.
(package-with-bootstrap-guile
- (package (inherit glibc)
+ (package/inherit glibc
(name "glibc-intermediate")
(arguments
`(#:guile ,%bootstrap-guile
@@ -540,6 +541,7 @@ the bootstrap environment."
that makes it available under the native tool names."
(package (inherit gcc)
(name (string-append (package-name gcc) "-wrapped"))
+ (replacement #f)
(source #f)
(build-system trivial-build-system)
(outputs '("out"))
@@ -640,7 +642,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
(define glibc-final
;; The final glibc, which embeds the statically-linked Bash built above.
- (package (inherit glibc-final-with-bootstrap-bash)
+ (package/inherit glibc-final-with-bootstrap-bash
(name "glibc")
(inputs `(("static-bash" ,static-bash-for-glibc)
,@(alist-delete
diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366.patch b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
new file mode 100644
index 000000000..71e80968b
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
@@ -0,0 +1,36 @@
+From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 19 Jun 2017 17:09:55 +0200
+Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
+ programs [BZ #21624]
+
+LD_LIBRARY_PATH can only be used to reorder system search paths, which
+is not useful functionality.
+
+This makes an exploitable unbounded alloca in _dl_init_paths unreachable
+for AT_SECURE=1 programs.
+
+patch from:
+https://sourceware.org/git/?p=glibc.git;a=commit;h=f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d
+---
+ ChangeLog | 7 +++++++
+ elf/rtld.c | 3 ++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 2446a87..2269dbe 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep)
+
+ case 12:
+ /* The library search path. */
+- if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
++ if (!__libc_enable_secure
++ && memcmp (envline, "LIBRARY_PATH", 12) == 0)
+ {
+ library_path = &envline[13];
+ break;
+--
+2.9.3
+
diff --git a/gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch b/gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch
new file mode 100644
index 000000000..3d8f6d2bf
--- /dev/null
+++ b/gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch
@@ -0,0 +1,206 @@
+From 81b82fb966ffbd94353f793ad17116c6088dedd9 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 19 Jun 2017 22:32:12 +0200
+Subject: [PATCH] ld.so: Reject overly long LD_AUDIT path elements
+
+Also only process the last LD_AUDIT entry.
+
+patch from:
+https://sourceware.org/git/?p=glibc.git;a=commit;h=81b82fb966ffbd94353f793ad17116c6088dedd9
+
+---
+ ChangeLog | 11 +++++++
+ elf/rtld.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++---------
+ 2 files changed, 106 insertions(+), 15 deletions(-)
+
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 86ae20c..65647fb 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -129,13 +129,91 @@ dso_name_valid_for_suid (const char *p)
+ return *p != '\0';
+ }
+
+-/* List of auditing DSOs. */
++/* LD_AUDIT variable contents. Must be processed before the
++ audit_list below. */
++const char *audit_list_string;
++
++/* Cyclic list of auditing DSOs. audit_list->next is the first
++ element. */
+ static struct audit_list
+ {
+ const char *name;
+ struct audit_list *next;
+ } *audit_list;
+
++/* Iterator for audit_list_string followed by audit_list. */
++struct audit_list_iter
++{
++ /* Tail of audit_list_string still needing processing, or NULL. */
++ const char *audit_list_tail;
++
++ /* The list element returned in the previous iteration. NULL before
++ the first element. */
++ struct audit_list *previous;
++
++ /* Scratch buffer for returning a name which is part of
++ audit_list_string. */
++ char fname[SECURE_NAME_LIMIT];
++};
++
++/* Initialize an audit list iterator. */
++static void
++audit_list_iter_init (struct audit_list_iter *iter)
++{
++ iter->audit_list_tail = audit_list_string;
++ iter->previous = NULL;
++}
++
++/* Iterate through both audit_list_string and audit_list. */
++static const char *
++audit_list_iter_next (struct audit_list_iter *iter)
++{
++ if (iter->audit_list_tail != NULL)
++ {
++ /* First iterate over audit_list_string. */
++ while (*iter->audit_list_tail != '\0')
++ {
++ /* Split audit list at colon. */
++ size_t len = strcspn (iter->audit_list_tail, ":");
++ if (len > 0 && len < sizeof (iter->fname))
++ {
++ memcpy (iter->fname, iter->audit_list_tail, len);
++ iter->fname[len] = '\0';
++ }
++ else
++ /* Do not return this name to the caller. */
++ iter->fname[0] = '\0';
++
++ /* Skip over the substring and the following delimiter. */
++ iter->audit_list_tail += len;
++ if (*iter->audit_list_tail == ':')
++ ++iter->audit_list_tail;
++
++ /* If the name is valid, return it. */
++ if (dso_name_valid_for_suid (iter->fname))
++ return iter->fname;
++ /* Otherwise, wrap around and try the next name. */
++ }
++ /* Fall through to the procesing of audit_list. */
++ }
++
++ if (iter->previous == NULL)
++ {
++ if (audit_list == NULL)
++ /* No pre-parsed audit list. */
++ return NULL;
++ /* Start of audit list. The first list element is at
++ audit_list->next (cyclic list). */
++ iter->previous = audit_list->next;
++ return iter->previous->name;
++ }
++ if (iter->previous == audit_list)
++ /* Cyclic list wrap-around. */
++ return NULL;
++ iter->previous = iter->previous->next;
++ return iter->previous->name;
++}
++
+ #ifndef HAVE_INLINED_SYSCALLS
+ /* Set nonzero during loading and initialization of executable and
+ libraries, cleared before the executable's entry point runs. This
+@@ -1305,11 +1383,13 @@ of this helper program; chances are you did not intend to run this program.\n\
+ GL(dl_rtld_map).l_tls_modid = _dl_next_tls_modid ();
+
+ /* If we have auditing DSOs to load, do it now. */
+- if (__glibc_unlikely (audit_list != NULL))
++ bool need_security_init = true;
++ if (__glibc_unlikely (audit_list != NULL)
++ || __glibc_unlikely (audit_list_string != NULL))
+ {
+- /* Iterate over all entries in the list. The order is important. */
+ struct audit_ifaces *last_audit = NULL;
+- struct audit_list *al = audit_list->next;
++ struct audit_list_iter al_iter;
++ audit_list_iter_init (&al_iter);
+
+ /* Since we start using the auditing DSOs right away we need to
+ initialize the data structures now. */
+@@ -1320,9 +1400,14 @@ of this helper program; chances are you did not intend to run this program.\n\
+ use different values (especially the pointer guard) and will
+ fail later on. */
+ security_init ();
++ need_security_init = false;
+
+- do
++ while (true)
+ {
++ const char *name = audit_list_iter_next (&al_iter);
++ if (name == NULL)
++ break;
++
+ int tls_idx = GL(dl_tls_max_dtv_idx);
+
+ /* Now it is time to determine the layout of the static TLS
+@@ -1331,7 +1416,7 @@ of this helper program; chances are you did not intend to run this program.\n\
+ no DF_STATIC_TLS bit is set. The reason is that we know
+ glibc will use the static model. */
+ struct dlmopen_args dlmargs;
+- dlmargs.fname = al->name;
++ dlmargs.fname = name;
+ dlmargs.map = NULL;
+
+ const char *objname;
+@@ -1344,7 +1429,7 @@ of this helper program; chances are you did not intend to run this program.\n\
+ not_loaded:
+ _dl_error_printf ("\
+ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+- al->name, err_str);
++ name, err_str);
+ if (malloced)
+ free ((char *) err_str);
+ }
+@@ -1448,10 +1533,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+ goto not_loaded;
+ }
+ }
+-
+- al = al->next;
+ }
+- while (al != audit_list->next);
+
+ /* If we have any auditing modules, announce that we already
+ have two objects loaded. */
+@@ -1715,7 +1797,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+ if (tcbp == NULL)
+ tcbp = init_tls ();
+
+- if (__glibc_likely (audit_list == NULL))
++ if (__glibc_likely (need_security_init))
+ /* Initialize security features. But only if we have not done it
+ earlier. */
+ security_init ();
+@@ -2346,9 +2428,7 @@ process_dl_audit (char *str)
+ char *p;
+
+ while ((p = (strsep) (&str, ":")) != NULL)
+- if (p[0] != '\0'
+- && (__builtin_expect (! __libc_enable_secure, 1)
+- || strchr (p, '/') == NULL))
++ if (dso_name_valid_for_suid (p))
+ {
+ /* This is using the local malloc, not the system malloc. The
+ memory can never be freed. */
+@@ -2412,7 +2492,7 @@ process_envvars (enum mode *modep)
+ break;
+ }
+ if (memcmp (envline, "AUDIT", 5) == 0)
+- process_dl_audit (&envline[6]);
++ audit_list_string = &envline[6];
+ break;
+
+ case 7:
+--
+2.9.3
+
diff --git a/gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch b/gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch
new file mode 100644
index 000000000..4b859c4bf
--- /dev/null
+++ b/gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch
@@ -0,0 +1,124 @@
+From 6d0ba622891bed9d8394eef1935add53003b12e8 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 19 Jun 2017 22:31:04 +0200
+Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements
+
+patch from:
+https://sourceware.org/git/?p=glibc.git;a=patch;h=6d0ba622891bed9d8394eef1935add53003b12e8
+
+---
+ ChangeLog | 7 ++++++
+ elf/rtld.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++------------
+ 2 files changed, 73 insertions(+), 16 deletions(-)
+
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 2269dbe..86ae20c 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -99,6 +99,35 @@ uintptr_t __pointer_chk_guard_local
+ strong_alias (__pointer_chk_guard_local, __pointer_chk_guard)
+ #endif
+
++/* Length limits for names and paths, to protect the dynamic linker,
++ particularly when __libc_enable_secure is active. */
++#ifdef NAME_MAX
++# define SECURE_NAME_LIMIT NAME_MAX
++#else
++# define SECURE_NAME_LIMIT 255
++#endif
++#ifdef PATH_MAX
++# define SECURE_PATH_LIMIT PATH_MAX
++#else
++# define SECURE_PATH_LIMIT 1024
++#endif
++
++/* Check that AT_SECURE=0, or that the passed name does not contain
++ directories and is not overly long. Reject empty names
++ unconditionally. */
++static bool
++dso_name_valid_for_suid (const char *p)
++{
++ if (__glibc_unlikely (__libc_enable_secure))
++ {
++ /* Ignore pathnames with directories for AT_SECURE=1
++ programs, and also skip overlong names. */
++ size_t len = strlen (p);
++ if (len >= SECURE_NAME_LIMIT || memchr (p, '/', len) != NULL)
++ return false;
++ }
++ return *p != '\0';
++}
+
+ /* List of auditing DSOs. */
+ static struct audit_list
+@@ -718,6 +747,42 @@ static const char *preloadlist attribute_relro;
+ /* Nonzero if information about versions has to be printed. */
+ static int version_info attribute_relro;
+
++/* The LD_PRELOAD environment variable gives list of libraries
++ separated by white space or colons that are loaded before the
++ executable's dependencies and prepended to the global scope list.
++ (If the binary is running setuid all elements containing a '/' are
++ ignored since it is insecure.) Return the number of preloads
++ performed. */
++unsigned int
++handle_ld_preload (const char *preloadlist, struct link_map *main_map)
++{
++ unsigned int npreloads = 0;
++ const char *p = preloadlist;
++ char fname[SECURE_PATH_LIMIT];
++
++ while (*p != '\0')
++ {
++ /* Split preload list at space/colon. */
++ size_t len = strcspn (p, " :");
++ if (len > 0 && len < sizeof (fname))
++ {
++ memcpy (fname, p, len);
++ fname[len] = '\0';
++ }
++ else
++ fname[0] = '\0';
++
++ /* Skip over the substring and the following delimiter. */
++ p += len;
++ if (*p != '\0')
++ ++p;
++
++ if (dso_name_valid_for_suid (fname))
++ npreloads += do_preload (fname, main_map, "LD_PRELOAD");
++ }
++ return npreloads;
++}
++
+ static void
+ dl_main (const ElfW(Phdr) *phdr,
+ ElfW(Word) phnum,
+@@ -1464,23 +1529,8 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+
+ if (__glibc_unlikely (preloadlist != NULL))
+ {
+- /* The LD_PRELOAD environment variable gives list of libraries
+- separated by white space or colons that are loaded before the
+- executable's dependencies and prepended to the global scope
+- list. If the binary is running setuid all elements
+- containing a '/' are ignored since it is insecure. */
+- char *list = strdupa (preloadlist);
+- char *p;
+-
+ HP_TIMING_NOW (start);
+-
+- /* Prevent optimizing strsep. Speed is not important here. */
+- while ((p = (strsep) (&list, " :")) != NULL)
+- if (p[0] != '\0'
+- && (__builtin_expect (! __libc_enable_secure, 1)
+- || strchr (p, '/') == NULL))
+- npreloads += do_preload (p, main_map, "LD_PRELOAD");
+-
++ npreloads += handle_ld_preload (preloadlist, main_map);
+ HP_TIMING_NOW (stop);
+ HP_TIMING_DIFF (diff, start, stop);
+ HP_TIMING_ACCUM_NT (load_time, diff);
+--
+2.9.3
+
--
2.13.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply related [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-21 8:41 ` Efraim Flashner
@ 2017-06-21 9:50 ` Efraim Flashner
2017-06-21 23:52 ` Leo Famulari
2017-06-23 17:20 ` bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
0 siblings, 2 replies; 37+ messages in thread
From: Efraim Flashner @ 2017-06-21 9:50 UTC (permalink / raw)
To: Mark H Weaver; +Cc: 27429
[-- Attachment #1.1: Type: text/plain, Size: 446 bytes --]
Had to make a small change to the patch, it turns out it couldn't build
the source for glibc@2.21, so I changed the source to inherit from
glibc@2.22 and not just from glibc. It doesn't change anything for the
actual glibc@2.25.
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #1.2: 0001-gnu-glibc-Patch-CVE-2017-1000366.patch --]
[-- Type: text/plain, Size: 23293 bytes --]
From ef14fa6db5eaedabbaa092cbed2b6f8ee903837c Mon Sep 17 00:00:00 2001
From: Efraim Flashner <efraim@flashner.co.il>
Date: Mon, 19 Jun 2017 23:13:53 +0300
Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
* gnu/packages/base.scm (glibc/linux)[replacement]: New field.
(glibc-2.25-fixed): New variable.
(glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patches.
[replacement]: New field.
(glibc-locales)[replacement]: New field.
* gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New field.
* gnu/packages/patches/glibc-CVE-2017-1000366.patch,
gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch,
gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
---
gnu/local.mk | 5 +-
gnu/packages/base.scm | 49 ++++-
gnu/packages/commencement.scm | 6 +-
gnu/packages/patches/glibc-CVE-2017-1000366.patch | 36 ++++
.../patches/glibc-reject-long-LD-AUDIT.patch | 206 +++++++++++++++++++++
.../patches/glibc-reject-long-LD-PRELOAD.patch | 124 +++++++++++++
6 files changed, 415 insertions(+), 11 deletions(-)
create mode 100644 gnu/packages/patches/glibc-CVE-2017-1000366.patch
create mode 100644 gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch
create mode 100644 gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index f0eed694d..d4d6c1c25 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -631,11 +631,14 @@ dist_patch_DATA = \
%D%/packages/patches/ghostscript-runpath.patch \
%D%/packages/patches/glib-networking-ssl-cert-file.patch \
%D%/packages/patches/glib-tests-timer.patch \
+ %D%/packages/patches/glibc-CVE-2017-1000366.patch \
%D%/packages/patches/glibc-bootstrap-system.patch \
%D%/packages/patches/glibc-ldd-x86_64.patch \
%D%/packages/patches/glibc-locales.patch \
%D%/packages/patches/glibc-memchr-overflow-i686.patch \
%D%/packages/patches/glibc-o-largefile.patch \
+ %D%/packages/patches/glibc-reject-long-LD-AUDIT.patch \
+ %D%/packages/patches/glibc-reject-long-LD-PRELOAD.patch \
%D%/packages/patches/glibc-versioned-locpath.patch \
%D%/packages/patches/glog-gcc-5-demangling.patch \
%D%/packages/patches/gmp-arm-asm-nothumb.patch \
@@ -657,7 +660,7 @@ dist_patch_DATA = \
%D%/packages/patches/guile-present-coding.patch \
%D%/packages/patches/guile-relocatable.patch \
%D%/packages/patches/guile-rsvg-pkgconfig.patch \
- gnu/packages/patches/guile-ssh-channel-finalization.patch \
+ %D%/packages/patches/guile-ssh-channel-finalization.patch \
%D%/packages/patches/guile-ssh-double-free.patch \
%D%/packages/patches/guile-ssh-rexec-bug.patch \
%D%/packages/patches/gtk2-respect-GUIX_GTK2_PATH.patch \
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index d135a18bf..70f57b9ff 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -5,7 +5,7 @@
;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014 Alex Kost <alezost@gmail.com>
;;; Copyright © 2014, 2015 Manolis Fragkiskos Ragkousis <manolis837@gmail.com>
-;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;;
@@ -558,6 +558,7 @@ store.")
(package
(name "glibc")
(version "2.25")
+ (replacement glibc-2.25-patched)
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/glibc/glibc-"
@@ -904,34 +905,62 @@ GLIBC/HURD for a Hurd host"
;; Below are old libc versions, which we use mostly to build locale data in
;; the old format (which the new libc cannot cope with.)
+(define glibc-2.25-patched
+ (package
+ (inherit glibc)
+ (replacement #f)
+ (source (origin
+ (inherit (package-source glibc))
+ (patches (search-patches "glibc-CVE-2017-1000366.patch"
+ "glibc-ldd-x86_64.patch"
+ "glibc-versioned-locpath.patch"
+ "glibc-o-largefile.patch"
+ "glibc-reject-long-LD-AUDIT.patch"
+ "glibc-reject-long-LD-PRELOAD.patch"))))))
+
(define-public glibc-2.24
(package
(inherit glibc)
(version "2.24")
+ (replacement #f)
(source (origin
(inherit (package-source glibc))
(uri (string-append "mirror://gnu/glibc/glibc-"
version ".tar.xz"))
(sha256
(base32
- "1lxmprg9gm73gvafxd503x70z32phwjzcy74i0adfi6ixzla7m4r"))))))
+ "1lxmprg9gm73gvafxd503x70z32phwjzcy74i0adfi6ixzla7m4r"))
+ (patches (search-patches "glibc-CVE-2017-1000366.patch"
+ "glibc-ldd-x86_64.patch"
+ "glibc-versioned-locpath.patch"
+ "glibc-o-largefile.patch"
+ "glibc-reject-long-LD-AUDIT.patch"
+ "glibc-reject-long-LD-PRELOAD.patch"))))))
(define-public glibc-2.23
(package
(inherit glibc)
(version "2.23")
+ (replacement #f)
(source (origin
(inherit (package-source glibc))
(uri (string-append "mirror://gnu/glibc/glibc-"
version ".tar.xz"))
(sha256
(base32
- "1s8krs3y2n6pzav7ic59dz41alqalphv7vww4138ag30wh0fpvwl"))))))
+ "1s8krs3y2n6pzav7ic59dz41alqalphv7vww4138ag30wh0fpvwl"))
+ (patches (search-patches "glibc-CVE-2017-1000366.patch"
+ "glibc-ldd-x86_64.patch"
+ "glibc-versioned-locpath.patch"
+ "glibc-o-largefile.patch"
+ "glibc-reject-long-LD-AUDIT.patch"
+ "glibc-reject-long-LD-PRELOAD.patch"))))))
(define-public glibc-2.22
(package
(inherit glibc)
(version "2.22")
+ (replacement #f)
(source (origin
(inherit (package-source glibc))
(uri (string-append "mirror://gnu/glibc/glibc-"
@@ -939,7 +968,10 @@ GLIBC/HURD for a Hurd host"
(sha256
(base32
"0j49682pm2nh4qbdw35bas82p1pgfnz4d2l7iwfyzvrvj0318wzb"))
- (patches (search-patches "glibc-ldd-x86_64.patch"))))
+ (patches (search-patches "glibc-CVE-2017-1000366.patch"
+ "glibc-ldd-x86_64.patch"
+ "glibc-reject-long-LD-AUDIT.patch"
+ "glibc-reject-long-LD-PRELOAD.patch"))))
(arguments
(substitute-keyword-arguments (package-arguments glibc)
((#:phases phases)
@@ -948,25 +980,26 @@ GLIBC/HURD for a Hurd host"
(lambda _
;; Use `pwd' instead of `/bin/pwd' for glibc-2.21
(substitute* "configure"
- (("/bin/pwd") "pwd"))))))))))
+ (("/bin/pwd") "pwd"))
+ #t))))))))
(define-public glibc-2.21
(package
(inherit glibc-2.22)
(version "2.21")
(source (origin
- (inherit (package-source glibc))
+ (inherit (package-source glibc-2.22))
(uri (string-append "mirror://gnu/glibc/glibc-"
version ".tar.xz"))
(sha256
(base32
- "1f135546j34s9bfkydmx2nhh9vwxlx60jldi80zmsnln6wj3dsxf"))
- (patches (search-patches "glibc-ldd-x86_64.patch"))))))
+ "1f135546j34s9bfkydmx2nhh9vwxlx60jldi80zmsnln6wj3dsxf"))))))
(define-public glibc-locales
(package
(inherit glibc)
(name "glibc-locales")
+ (replacement #f)
(source (origin (inherit (package-source glibc))
(patches (cons (search-patch "glibc-locales.patch")
(origin-patches (package-source glibc))))))
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index 1b41feac1..eea246756 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2014 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -467,7 +468,7 @@ the bootstrap environment."
;; built just below; the only difference is that this one uses the
;; bootstrap Bash.
(package-with-bootstrap-guile
- (package (inherit glibc)
+ (package/inherit glibc
(name "glibc-intermediate")
(arguments
`(#:guile ,%bootstrap-guile
@@ -540,6 +541,7 @@ the bootstrap environment."
that makes it available under the native tool names."
(package (inherit gcc)
(name (string-append (package-name gcc) "-wrapped"))
+ (replacement #f)
(source #f)
(build-system trivial-build-system)
(outputs '("out"))
@@ -640,7 +642,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
(define glibc-final
;; The final glibc, which embeds the statically-linked Bash built above.
- (package (inherit glibc-final-with-bootstrap-bash)
+ (package/inherit glibc-final-with-bootstrap-bash
(name "glibc")
(inputs `(("static-bash" ,static-bash-for-glibc)
,@(alist-delete
diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366.patch b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
new file mode 100644
index 000000000..71e80968b
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
@@ -0,0 +1,36 @@
+From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 19 Jun 2017 17:09:55 +0200
+Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
+ programs [BZ #21624]
+
+LD_LIBRARY_PATH can only be used to reorder system search paths, which
+is not useful functionality.
+
+This makes an exploitable unbounded alloca in _dl_init_paths unreachable
+for AT_SECURE=1 programs.
+
+patch from:
+https://sourceware.org/git/?p=glibc.git;a=commit;h=f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d
+---
+ ChangeLog | 7 +++++++
+ elf/rtld.c | 3 ++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 2446a87..2269dbe 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep)
+
+ case 12:
+ /* The library search path. */
+- if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
++ if (!__libc_enable_secure
++ && memcmp (envline, "LIBRARY_PATH", 12) == 0)
+ {
+ library_path = &envline[13];
+ break;
+--
+2.9.3
+
diff --git a/gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch b/gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch
new file mode 100644
index 000000000..3d8f6d2bf
--- /dev/null
+++ b/gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch
@@ -0,0 +1,206 @@
+From 81b82fb966ffbd94353f793ad17116c6088dedd9 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 19 Jun 2017 22:32:12 +0200
+Subject: [PATCH] ld.so: Reject overly long LD_AUDIT path elements
+
+Also only process the last LD_AUDIT entry.
+
+patch from:
+https://sourceware.org/git/?p=glibc.git;a=commit;h=81b82fb966ffbd94353f793ad17116c6088dedd9
+
+---
+ ChangeLog | 11 +++++++
+ elf/rtld.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++---------
+ 2 files changed, 106 insertions(+), 15 deletions(-)
+
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 86ae20c..65647fb 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -129,13 +129,91 @@ dso_name_valid_for_suid (const char *p)
+ return *p != '\0';
+ }
+
+-/* List of auditing DSOs. */
++/* LD_AUDIT variable contents. Must be processed before the
++ audit_list below. */
++const char *audit_list_string;
++
++/* Cyclic list of auditing DSOs. audit_list->next is the first
++ element. */
+ static struct audit_list
+ {
+ const char *name;
+ struct audit_list *next;
+ } *audit_list;
+
++/* Iterator for audit_list_string followed by audit_list. */
++struct audit_list_iter
++{
++ /* Tail of audit_list_string still needing processing, or NULL. */
++ const char *audit_list_tail;
++
++ /* The list element returned in the previous iteration. NULL before
++ the first element. */
++ struct audit_list *previous;
++
++ /* Scratch buffer for returning a name which is part of
++ audit_list_string. */
++ char fname[SECURE_NAME_LIMIT];
++};
++
++/* Initialize an audit list iterator. */
++static void
++audit_list_iter_init (struct audit_list_iter *iter)
++{
++ iter->audit_list_tail = audit_list_string;
++ iter->previous = NULL;
++}
++
++/* Iterate through both audit_list_string and audit_list. */
++static const char *
++audit_list_iter_next (struct audit_list_iter *iter)
++{
++ if (iter->audit_list_tail != NULL)
++ {
++ /* First iterate over audit_list_string. */
++ while (*iter->audit_list_tail != '\0')
++ {
++ /* Split audit list at colon. */
++ size_t len = strcspn (iter->audit_list_tail, ":");
++ if (len > 0 && len < sizeof (iter->fname))
++ {
++ memcpy (iter->fname, iter->audit_list_tail, len);
++ iter->fname[len] = '\0';
++ }
++ else
++ /* Do not return this name to the caller. */
++ iter->fname[0] = '\0';
++
++ /* Skip over the substring and the following delimiter. */
++ iter->audit_list_tail += len;
++ if (*iter->audit_list_tail == ':')
++ ++iter->audit_list_tail;
++
++ /* If the name is valid, return it. */
++ if (dso_name_valid_for_suid (iter->fname))
++ return iter->fname;
++ /* Otherwise, wrap around and try the next name. */
++ }
++ /* Fall through to the procesing of audit_list. */
++ }
++
++ if (iter->previous == NULL)
++ {
++ if (audit_list == NULL)
++ /* No pre-parsed audit list. */
++ return NULL;
++ /* Start of audit list. The first list element is at
++ audit_list->next (cyclic list). */
++ iter->previous = audit_list->next;
++ return iter->previous->name;
++ }
++ if (iter->previous == audit_list)
++ /* Cyclic list wrap-around. */
++ return NULL;
++ iter->previous = iter->previous->next;
++ return iter->previous->name;
++}
++
+ #ifndef HAVE_INLINED_SYSCALLS
+ /* Set nonzero during loading and initialization of executable and
+ libraries, cleared before the executable's entry point runs. This
+@@ -1305,11 +1383,13 @@ of this helper program; chances are you did not intend to run this program.\n\
+ GL(dl_rtld_map).l_tls_modid = _dl_next_tls_modid ();
+
+ /* If we have auditing DSOs to load, do it now. */
+- if (__glibc_unlikely (audit_list != NULL))
++ bool need_security_init = true;
++ if (__glibc_unlikely (audit_list != NULL)
++ || __glibc_unlikely (audit_list_string != NULL))
+ {
+- /* Iterate over all entries in the list. The order is important. */
+ struct audit_ifaces *last_audit = NULL;
+- struct audit_list *al = audit_list->next;
++ struct audit_list_iter al_iter;
++ audit_list_iter_init (&al_iter);
+
+ /* Since we start using the auditing DSOs right away we need to
+ initialize the data structures now. */
+@@ -1320,9 +1400,14 @@ of this helper program; chances are you did not intend to run this program.\n\
+ use different values (especially the pointer guard) and will
+ fail later on. */
+ security_init ();
++ need_security_init = false;
+
+- do
++ while (true)
+ {
++ const char *name = audit_list_iter_next (&al_iter);
++ if (name == NULL)
++ break;
++
+ int tls_idx = GL(dl_tls_max_dtv_idx);
+
+ /* Now it is time to determine the layout of the static TLS
+@@ -1331,7 +1416,7 @@ of this helper program; chances are you did not intend to run this program.\n\
+ no DF_STATIC_TLS bit is set. The reason is that we know
+ glibc will use the static model. */
+ struct dlmopen_args dlmargs;
+- dlmargs.fname = al->name;
++ dlmargs.fname = name;
+ dlmargs.map = NULL;
+
+ const char *objname;
+@@ -1344,7 +1429,7 @@ of this helper program; chances are you did not intend to run this program.\n\
+ not_loaded:
+ _dl_error_printf ("\
+ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+- al->name, err_str);
++ name, err_str);
+ if (malloced)
+ free ((char *) err_str);
+ }
+@@ -1448,10 +1533,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+ goto not_loaded;
+ }
+ }
+-
+- al = al->next;
+ }
+- while (al != audit_list->next);
+
+ /* If we have any auditing modules, announce that we already
+ have two objects loaded. */
+@@ -1715,7 +1797,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+ if (tcbp == NULL)
+ tcbp = init_tls ();
+
+- if (__glibc_likely (audit_list == NULL))
++ if (__glibc_likely (need_security_init))
+ /* Initialize security features. But only if we have not done it
+ earlier. */
+ security_init ();
+@@ -2346,9 +2428,7 @@ process_dl_audit (char *str)
+ char *p;
+
+ while ((p = (strsep) (&str, ":")) != NULL)
+- if (p[0] != '\0'
+- && (__builtin_expect (! __libc_enable_secure, 1)
+- || strchr (p, '/') == NULL))
++ if (dso_name_valid_for_suid (p))
+ {
+ /* This is using the local malloc, not the system malloc. The
+ memory can never be freed. */
+@@ -2412,7 +2492,7 @@ process_envvars (enum mode *modep)
+ break;
+ }
+ if (memcmp (envline, "AUDIT", 5) == 0)
+- process_dl_audit (&envline[6]);
++ audit_list_string = &envline[6];
+ break;
+
+ case 7:
+--
+2.9.3
+
diff --git a/gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch b/gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch
new file mode 100644
index 000000000..4b859c4bf
--- /dev/null
+++ b/gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch
@@ -0,0 +1,124 @@
+From 6d0ba622891bed9d8394eef1935add53003b12e8 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 19 Jun 2017 22:31:04 +0200
+Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements
+
+patch from:
+https://sourceware.org/git/?p=glibc.git;a=patch;h=6d0ba622891bed9d8394eef1935add53003b12e8
+
+---
+ ChangeLog | 7 ++++++
+ elf/rtld.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++------------
+ 2 files changed, 73 insertions(+), 16 deletions(-)
+
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 2269dbe..86ae20c 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -99,6 +99,35 @@ uintptr_t __pointer_chk_guard_local
+ strong_alias (__pointer_chk_guard_local, __pointer_chk_guard)
+ #endif
+
++/* Length limits for names and paths, to protect the dynamic linker,
++ particularly when __libc_enable_secure is active. */
++#ifdef NAME_MAX
++# define SECURE_NAME_LIMIT NAME_MAX
++#else
++# define SECURE_NAME_LIMIT 255
++#endif
++#ifdef PATH_MAX
++# define SECURE_PATH_LIMIT PATH_MAX
++#else
++# define SECURE_PATH_LIMIT 1024
++#endif
++
++/* Check that AT_SECURE=0, or that the passed name does not contain
++ directories and is not overly long. Reject empty names
++ unconditionally. */
++static bool
++dso_name_valid_for_suid (const char *p)
++{
++ if (__glibc_unlikely (__libc_enable_secure))
++ {
++ /* Ignore pathnames with directories for AT_SECURE=1
++ programs, and also skip overlong names. */
++ size_t len = strlen (p);
++ if (len >= SECURE_NAME_LIMIT || memchr (p, '/', len) != NULL)
++ return false;
++ }
++ return *p != '\0';
++}
+
+ /* List of auditing DSOs. */
+ static struct audit_list
+@@ -718,6 +747,42 @@ static const char *preloadlist attribute_relro;
+ /* Nonzero if information about versions has to be printed. */
+ static int version_info attribute_relro;
+
++/* The LD_PRELOAD environment variable gives list of libraries
++ separated by white space or colons that are loaded before the
++ executable's dependencies and prepended to the global scope list.
++ (If the binary is running setuid all elements containing a '/' are
++ ignored since it is insecure.) Return the number of preloads
++ performed. */
++unsigned int
++handle_ld_preload (const char *preloadlist, struct link_map *main_map)
++{
++ unsigned int npreloads = 0;
++ const char *p = preloadlist;
++ char fname[SECURE_PATH_LIMIT];
++
++ while (*p != '\0')
++ {
++ /* Split preload list at space/colon. */
++ size_t len = strcspn (p, " :");
++ if (len > 0 && len < sizeof (fname))
++ {
++ memcpy (fname, p, len);
++ fname[len] = '\0';
++ }
++ else
++ fname[0] = '\0';
++
++ /* Skip over the substring and the following delimiter. */
++ p += len;
++ if (*p != '\0')
++ ++p;
++
++ if (dso_name_valid_for_suid (fname))
++ npreloads += do_preload (fname, main_map, "LD_PRELOAD");
++ }
++ return npreloads;
++}
++
+ static void
+ dl_main (const ElfW(Phdr) *phdr,
+ ElfW(Word) phnum,
+@@ -1464,23 +1529,8 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+
+ if (__glibc_unlikely (preloadlist != NULL))
+ {
+- /* The LD_PRELOAD environment variable gives list of libraries
+- separated by white space or colons that are loaded before the
+- executable's dependencies and prepended to the global scope
+- list. If the binary is running setuid all elements
+- containing a '/' are ignored since it is insecure. */
+- char *list = strdupa (preloadlist);
+- char *p;
+-
+ HP_TIMING_NOW (start);
+-
+- /* Prevent optimizing strsep. Speed is not important here. */
+- while ((p = (strsep) (&list, " :")) != NULL)
+- if (p[0] != '\0'
+- && (__builtin_expect (! __libc_enable_secure, 1)
+- || strchr (p, '/') == NULL))
+- npreloads += do_preload (p, main_map, "LD_PRELOAD");
+-
++ npreloads += handle_ld_preload (preloadlist, main_map);
+ HP_TIMING_NOW (stop);
+ HP_TIMING_DIFF (diff, start, stop);
+ HP_TIMING_ACCUM_NT (load_time, diff);
+--
+2.9.3
+
--
2.13.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply related [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-21 9:50 ` Efraim Flashner
@ 2017-06-21 23:52 ` Leo Famulari
2017-06-22 0:03 ` Leo Famulari
2017-06-23 17:20 ` bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
1 sibling, 1 reply; 37+ messages in thread
From: Leo Famulari @ 2017-06-21 23:52 UTC (permalink / raw)
To: Efraim Flashner; +Cc: 27429
[-- Attachment #1: Type: text/plain, Size: 1386 bytes --]
On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
> Had to make a small change to the patch, it turns out it couldn't build
> the source for glibc@2.21, so I changed the source to inherit from
> glibc@2.22 and not just from glibc. It doesn't change anything for the
> actual glibc@2.25.
>
> --
> Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
> GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
> Confidentiality cannot be guaranteed on emails sent or received unencrypted
> From ef14fa6db5eaedabbaa092cbed2b6f8ee903837c Mon Sep 17 00:00:00 2001
> From: Efraim Flashner <efraim@flashner.co.il>
> Date: Mon, 19 Jun 2017 23:13:53 +0300
> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
>
> * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
> (glibc-2.25-fixed): New variable.
> (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patches.
> [replacement]: New field.
> (glibc-locales)[replacement]: New field.
> * gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New field.
> * gnu/packages/patches/glibc-CVE-2017-1000366.patch,
> gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch,
> gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
Thanks, I'm building a bare-bones disk image to test this patch.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-21 23:52 ` Leo Famulari
@ 2017-06-22 0:03 ` Leo Famulari
2017-06-22 6:44 ` Mark H Weaver
0 siblings, 1 reply; 37+ messages in thread
From: Leo Famulari @ 2017-06-22 0:03 UTC (permalink / raw)
To: Efraim Flashner; +Cc: 27429
[-- Attachment #1: Type: text/plain, Size: 1642 bytes --]
On Wed, Jun 21, 2017 at 07:52:27PM -0400, Leo Famulari wrote:
> On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
> > Had to make a small change to the patch, it turns out it couldn't build
> > the source for glibc@2.21, so I changed the source to inherit from
> > glibc@2.22 and not just from glibc. It doesn't change anything for the
> > actual glibc@2.25.
> >
> > --
> > Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
> > GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
> > Confidentiality cannot be guaranteed on emails sent or received unencrypted
>
> > From ef14fa6db5eaedabbaa092cbed2b6f8ee903837c Mon Sep 17 00:00:00 2001
> > From: Efraim Flashner <efraim@flashner.co.il>
> > Date: Mon, 19 Jun 2017 23:13:53 +0300
> > Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
> >
> > * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
> > (glibc-2.25-fixed): New variable.
> > (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patches.
> > [replacement]: New field.
> > (glibc-locales)[replacement]: New field.
> > * gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New field.
> > * gnu/packages/patches/glibc-CVE-2017-1000366.patch,
> > gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch,
> > gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files.
> > * gnu/local.mk (dist_patch_DATA): Add them.
>
> Thanks, I'm building a bare-bones disk image to test this patch.
Hm, I noticed the bootstrap binaries being downloaded, so I don't think
this patch applies the graft without causing a full rebuild.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-22 0:03 ` Leo Famulari
@ 2017-06-22 6:44 ` Mark H Weaver
2017-06-22 16:17 ` Leo Famulari
2017-06-29 10:58 ` Ludovic Courtès
0 siblings, 2 replies; 37+ messages in thread
From: Mark H Weaver @ 2017-06-22 6:44 UTC (permalink / raw)
To: Leo Famulari; +Cc: 27429
Leo Famulari <leo@famulari.name> writes:
> On Wed, Jun 21, 2017 at 07:52:27PM -0400, Leo Famulari wrote:
>> On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
>> > Had to make a small change to the patch, it turns out it couldn't build
>> > the source for glibc@2.21, so I changed the source to inherit from
>> > glibc@2.22 and not just from glibc. It doesn't change anything for the
>> > actual glibc@2.25.
>> >
>> > --
>> > Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
>> > GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
>> > Confidentiality cannot be guaranteed on emails sent or received unencrypted
>>
>> > From ef14fa6db5eaedabbaa092cbed2b6f8ee903837c Mon Sep 17 00:00:00 2001
>> > From: Efraim Flashner <efraim@flashner.co.il>
>> > Date: Mon, 19 Jun 2017 23:13:53 +0300
>> > Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
>> >
>> > * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
>> > (glibc-2.25-fixed): New variable.
>> > (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patches.
>> > [replacement]: New field.
>> > (glibc-locales)[replacement]: New field.
>> > * gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New field.
The commit log should mention the two packages that were converted to
use 'package/inherit'.
>> > * gnu/packages/patches/glibc-CVE-2017-1000366.patch,
>> > gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch,
>> > gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files.
>> > * gnu/local.mk (dist_patch_DATA): Add them.
Also, this patch includes some other unrelated fixes, such as changing
"gnu" to "%D%" in local.mk. It would be good to split those off into
separate commits.
>> Thanks, I'm building a bare-bones disk image to test this patch.
>
> Hm, I noticed the bootstrap binaries being downloaded, so I don't think
> this patch applies the graft without causing a full rebuild.
It's likely that this is because of the new behavior of Hydra, where
NARs that haven't been fetched in the last 14 days are deleted, and then
those substitutes will fail the next time they are requested.
In this system fetching substitutes that are not often requested will
often fail. One must try to fetch them, and then wait a while for Hydra
to rebuild the NARs, and then try again later. FWIW, I don't like this
approach, but it's what we have for now.
Mark
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-22 6:44 ` Mark H Weaver
@ 2017-06-22 16:17 ` Leo Famulari
2017-06-22 18:34 ` Leo Famulari
2017-06-29 10:58 ` Ludovic Courtès
1 sibling, 1 reply; 37+ messages in thread
From: Leo Famulari @ 2017-06-22 16:17 UTC (permalink / raw)
To: Mark H Weaver; +Cc: 27429
[-- Attachment #1: Type: text/plain, Size: 839 bytes --]
On Thu, Jun 22, 2017 at 02:44:11AM -0400, Mark H Weaver wrote:
> Leo Famulari <leo@famulari.name> writes:
> > Hm, I noticed the bootstrap binaries being downloaded, so I don't think
> > this patch applies the graft without causing a full rebuild.
>
> It's likely that this is because of the new behavior of Hydra, where
> NARs that haven't been fetched in the last 14 days are deleted, and then
> those substitutes will fail the next time they are requested.
>
> In this system fetching substitutes that are not often requested will
> often fail. One must try to fetch them, and then wait a while for Hydra
> to rebuild the NARs, and then try again later. FWIW, I don't like this
> approach, but it's what we have for now.
Okay, I'm trying again. I'll let the build finish and report if the
system seems okay in QEMU.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-22 16:17 ` Leo Famulari
@ 2017-06-22 18:34 ` Leo Famulari
2017-06-22 19:25 ` Leo Famulari
0 siblings, 1 reply; 37+ messages in thread
From: Leo Famulari @ 2017-06-22 18:34 UTC (permalink / raw)
To: Mark H Weaver; +Cc: 27429
[-- Attachment #1: Type: text/plain, Size: 1286 bytes --]
On Thu, Jun 22, 2017 at 12:17:37PM -0400, Leo Famulari wrote:
> On Thu, Jun 22, 2017 at 02:44:11AM -0400, Mark H Weaver wrote:
> > Leo Famulari <leo@famulari.name> writes:
> > > Hm, I noticed the bootstrap binaries being downloaded, so I don't think
> > > this patch applies the graft without causing a full rebuild.
> >
> > It's likely that this is because of the new behavior of Hydra, where
> > NARs that haven't been fetched in the last 14 days are deleted, and then
> > those substitutes will fail the next time they are requested.
> >
> > In this system fetching substitutes that are not often requested will
> > often fail. One must try to fetch them, and then wait a while for Hydra
> > to rebuild the NARs, and then try again later. FWIW, I don't like this
> > approach, but it's what we have for now.
>
> Okay, I'm trying again. I'll let the build finish and report if the
> system seems okay in QEMU.
It's building stuff, but it downloaded several parts of the bootstrap
(gettext-boot0, perl-boot0, etc) and is now building the base packages
of the distribution (perl, etc).
So, I'm skeptical that it's grafting in the way we need it to. For
example, I already have the latest Perl binary from `guix build perl`,
but it's rebuilding Perl now.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-22 18:34 ` Leo Famulari
@ 2017-06-22 19:25 ` Leo Famulari
0 siblings, 0 replies; 37+ messages in thread
From: Leo Famulari @ 2017-06-22 19:25 UTC (permalink / raw)
To: Mark H Weaver; +Cc: 27429
[-- Attachment #1: Type: text/plain, Size: 582 bytes --]
On Thu, Jun 22, 2017 at 02:34:21PM -0400, Leo Famulari wrote:
> It's building stuff, but it downloaded several parts of the bootstrap
> (gettext-boot0, perl-boot0, etc) and is now building the base packages
> of the distribution (perl, etc).
>
> So, I'm skeptical that it's grafting in the way we need it to. For
> example, I already have the latest Perl binary from `guix build perl`,
> but it's rebuilding Perl now.
I might have spoken too soon. Although Perl was rebuilt, most other
packages were not. So this patch might do the right thing. More review
welcome :)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-21 9:50 ` Efraim Flashner
2017-06-21 23:52 ` Leo Famulari
@ 2017-06-23 17:20 ` Leo Famulari
2017-06-23 18:36 ` Mark H Weaver
2017-06-28 21:55 ` Leo Famulari
1 sibling, 2 replies; 37+ messages in thread
From: Leo Famulari @ 2017-06-23 17:20 UTC (permalink / raw)
To: Efraim Flashner; +Cc: 27429
[-- Attachment #1: Type: text/plain, Size: 2413 bytes --]
On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
>
> * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
> (glibc-2.25-fixed): New variable.
> (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patches.
> [replacement]: New field.
> (glibc-locales)[replacement]: New field.
> * gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New field.
> * gnu/packages/patches/glibc-CVE-2017-1000366.patch,
> gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch,
> gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
I've applied this patch to my Guix-on-foreign-distro workstation.
Everything seems to be working so far.
I noticed that grafted packages do not seem refer directly to the
replacement glibc. For example:
$ ./pre-inst-env guix build -e '(@@ (gnu packages base) glibc-2.25-patched)'
/gnu/store/kczijfli8cb0qjyrfzbrd06bdrpic7lx-glibc-2.25-debug
/gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25
$ guix gc --references /gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25
/gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25
/gnu/store/946hwcxnd9w13gyqprs0fzkmyyz4hdar-bash-static-4.4.12
/gnu/store/n4fmp3fj1yam5ijwa64irg7glvzsq4i1-bash-4.4.12
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
$ guix gc --references $(./pre-inst-env guix build libressl)
/gnu/store/7ahy5yw88wq1fg1lmr84vy958sgzgp5g-libressl-2.5.4
/gnu/store/p8k2id55pynzjmaixlns94phvr7mz5ls-gcc-5.4.0-lib
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
However, I haven't had time to dig in and wrap my head around the glibc
packages.
By the way, Qualys will probably begin publishing their exploits on
Tuesday [0]:
"We have discussed this internally, and we will first publish the Stack
Clash exploits and proofs-of-concepts that we sent to the distros@ and
linux-distros@ lists, plus our Linux ld.so exploit for amd64, and our
Solaris rsh exploit.
We will do so next Tuesday, but we will publish our Linux exploits and
proofs-of-concept if and only if Fedora updates are ready by then, our
NetBSD proof-of-concept if and only if NetBSD patches are ready by then,
and our FreeBSD proofs-of-concept if and only if FreeBSD patches are
ready by then."
[0] <http://seclists.org/oss-sec/2017/q2/548>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-23 17:20 ` bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
@ 2017-06-23 18:36 ` Mark H Weaver
2017-06-23 18:54 ` Leo Famulari
2017-06-28 21:55 ` Leo Famulari
1 sibling, 1 reply; 37+ messages in thread
From: Mark H Weaver @ 2017-06-23 18:36 UTC (permalink / raw)
To: Leo Famulari; +Cc: 27429
Leo Famulari <leo@famulari.name> writes:
> On Wed, Jun 21, 2017 at 12:50:45PM +0300, Efraim Flashner wrote:
>> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
>>
>> * gnu/packages/base.scm (glibc/linux)[replacement]: New field.
>> (glibc-2.25-fixed): New variable.
>> (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patches.
>> [replacement]: New field.
>> (glibc-locales)[replacement]: New field.
>> * gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New field.
>> * gnu/packages/patches/glibc-CVE-2017-1000366.patch,
>> gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch,
>> gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>
> I've applied this patch to my Guix-on-foreign-distro workstation.
> Everything seems to be working so far.
>
> I noticed that grafted packages do not seem refer directly to the
> replacement glibc. For example:
>
> $ ./pre-inst-env guix build -e '(@@ (gnu packages base) glibc-2.25-patched)'
> /gnu/store/kczijfli8cb0qjyrfzbrd06bdrpic7lx-glibc-2.25-debug
> /gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25
I wouldn't expect them to. Almost(?) nothing in Guix links to the
'glibc' in (gnu packages base), so I wouldn't expect them to link to its
replacement either.
Most packages are linked with 'glibc-final' in (gnu packages
commencement), and we should expect them to now be linked with *its*
replacement. Try this to find the expected glibc-final replacement:
./pre-inst-env guix build -e '((@@ (guix packages) package-replacement) (@@ (gnu packages commencement) glibc-final))'
> By the way, Qualys will probably begin publishing their exploits on
> Tuesday [0]:
Thanks for the heads-up, and more generally to your prolific
contributions to security in Guix!
Mark
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-23 18:36 ` Mark H Weaver
@ 2017-06-23 18:54 ` Leo Famulari
2017-06-23 20:03 ` Mark H Weaver
0 siblings, 1 reply; 37+ messages in thread
From: Leo Famulari @ 2017-06-23 18:54 UTC (permalink / raw)
To: Mark H Weaver; +Cc: 27429
[-- Attachment #1: Type: text/plain, Size: 1032 bytes --]
On Fri, Jun 23, 2017 at 02:36:41PM -0400, Mark H Weaver wrote:
> Most packages are linked with 'glibc-final' in (gnu packages
> commencement), and we should expect them to now be linked with *its*
> replacement. Try this to find the expected glibc-final replacement:
>
> ./pre-inst-env guix build -e '((@@ (guix packages) package-replacement) (@@ (gnu packages commencement) glibc-final))'
Thank you for the clarification. Indeed, with Efraim's latest patch,
packages seem to be referring to the replacement for glibc-final.
So, do we think this patch is ready to apply? AFAIK, nobody has yet
tried upgrading a GuixSD system with this patch. I won't have access to
my bare-metal GuixSD system for the next few days.
> > By the way, Qualys will probably begin publishing their exploits on
> > Tuesday [0]:
>
> Thanks for the heads-up, and more generally to your prolific
> contributions to security in Guix!
Thank you for your advice and guidance, and to Efraim for taking the
lead on fixing this bug!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-23 18:54 ` Leo Famulari
@ 2017-06-23 20:03 ` Mark H Weaver
2017-06-24 7:11 ` Mark H Weaver
0 siblings, 1 reply; 37+ messages in thread
From: Mark H Weaver @ 2017-06-23 20:03 UTC (permalink / raw)
To: Leo Famulari; +Cc: 27429
Leo Famulari <leo@famulari.name> writes:
> On Fri, Jun 23, 2017 at 02:36:41PM -0400, Mark H Weaver wrote:
>> Most packages are linked with 'glibc-final' in (gnu packages
>> commencement), and we should expect them to now be linked with *its*
>> replacement. Try this to find the expected glibc-final replacement:
>>
>> ./pre-inst-env guix build -e '((@@ (guix packages) package-replacement) (@@ (gnu packages commencement) glibc-final))'
>
> Thank you for the clarification. Indeed, with Efraim's latest patch,
> packages seem to be referring to the replacement for glibc-final.
That's good news!
> So, do we think this patch is ready to apply? AFAIK, nobody has yet
> tried upgrading a GuixSD system with this patch. I won't have access to
> my bare-metal GuixSD system for the next few days.
I think someone should try reconfiguring their GuixSD system and booting
into it before we apply it to master. I might be able to do it tonight,
or else I can do it tomorrow.
Mark
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-23 20:03 ` Mark H Weaver
@ 2017-06-24 7:11 ` Mark H Weaver
2017-06-26 8:41 ` Ludovic Courtès
0 siblings, 1 reply; 37+ messages in thread
From: Mark H Weaver @ 2017-06-24 7:11 UTC (permalink / raw)
To: Leo Famulari; +Cc: 27429
Mark H Weaver <mhw@netris.org> writes:
> Leo Famulari <leo@famulari.name> writes:
>
>> On Fri, Jun 23, 2017 at 02:36:41PM -0400, Mark H Weaver wrote:
>>> Most packages are linked with 'glibc-final' in (gnu packages
>>> commencement), and we should expect them to now be linked with *its*
>>> replacement. Try this to find the expected glibc-final replacement:
>>>
>>> ./pre-inst-env guix build -e '((@@ (guix packages) package-replacement) (@@ (gnu packages commencement) glibc-final))'
>>
>> Thank you for the clarification. Indeed, with Efraim's latest patch,
>> packages seem to be referring to the replacement for glibc-final.
>
> That's good news!
>
>> So, do we think this patch is ready to apply? AFAIK, nobody has yet
>> tried upgrading a GuixSD system with this patch. I won't have access to
>> my bare-metal GuixSD system for the next few days.
>
> I think someone should try reconfiguring their GuixSD system and booting
> into it before we apply it to master. I might be able to do it tonight,
> or else I can do it tomorrow.
I made some minor cleanups to the patch, split it up into multiple
patches, and upgraded my GuixSD system to use it. My system seems to
work fine. I don't have time right now to verify that the grafting is
being done correctly, but I went ahead and pushed the commits to
'master' anyway, based on Leo's preliminary observations.
I'm dubious about the changes made to glibc-2.21, but that can be fixed
up later.
I tried to copy the .drv files for the grafted 'glibc-final' and
'glibc-final-with-bootstrap-bash' from my machine to Hydra, in order to
ask Hydra to build it, but both "guix copy" and "guix archive --export"
failed:
--8<---------------cut here---------------start------------->8---
mhw@jojen ~$ guix copy --to=hydra@hydra /gnu/store/17gcwll4a2y3cjk8jf3fg2gr105m9f4i-glibc-2.25.drv /gnu/store/78j5arbcgjfbj0m91fn6p5s71kz7w2yw-glibc-2.25.drv
sending 11 store items to 'localhost'...
guix copy: error: corrupt input while restoring archive from #<closed: file 231bbd0>
mhw@jojen ~$ guix archive --export /gnu/store/17gcwll4a2y3cjk8jf3fg2gr105m9f4i-glibc-2.25.drv /gnu/store/78j5arbcgjfbj0m91fn6p5s71kz7w2yw-glibc-2.25.drv > GRAFTED-GLIBC-DRVS.nar
guix archive: error: corrupt input while restoring archive from #<closed: file 17e9d20>
--8<---------------cut here---------------end--------------->8---
I'm concerned that i686 and armhf users are going to have a rude
awakening when they not only have to build two variants of glibc, but
also a bunch of the early bootstrap because the NARs are not available
on Hydra. It would be good if someone could take care of that.
I'm sorry, but I need to sleep now. Hopefully someone else can take it
from here.
Mark
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check
2017-06-19 22:25 bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
` (2 preceding siblings ...)
2017-06-20 3:31 ` Mark H Weaver
@ 2017-06-25 9:38 ` Danny Milosavljevic
2017-06-25 10:41 ` Marius Bakke
2017-07-20 15:54 ` bug#27429: Stack clash (CVE-2017-1000366 etc) Ludovic Courtès
4 siblings, 1 reply; 37+ messages in thread
From: Danny Milosavljevic @ 2017-06-25 9:38 UTC (permalink / raw)
To: 27429
Hi,
what do you all think of rebuilding the world with "-fstack-check" (either now or later on) ?
That would make gcc emit code to always grow the stack in a way that it certainly touches each 4 KiB (parametrizable by STACK_CHECK_PROBE_INTERVAL_EXP) page on the way.
I think that would be the right and permanent fix - unlike the whack-a-mole approach where we patch programs not to do what they are supposed to do, if their stack allocation happens to grow.
See also <https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt> and <https://gcc.gnu.org/onlinedocs/gccint/Stack-Checking.html>.
Note that the kernel itself has to put argv and envp into the user process' stack and this can already make the very first stack allocation that a process does in its main() need to grow the stack, and reach across the guard page. So the right fix is to just make the stack allocations never reach across the guard page without using it.
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check
2017-06-25 9:38 ` bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check Danny Milosavljevic
@ 2017-06-25 10:41 ` Marius Bakke
2017-06-25 13:19 ` Leo Famulari
0 siblings, 1 reply; 37+ messages in thread
From: Marius Bakke @ 2017-06-25 10:41 UTC (permalink / raw)
To: Danny Milosavljevic, 27429
[-- Attachment #1: Type: text/plain, Size: 950 bytes --]
Danny Milosavljevic <dannym@scratchpost.org> writes:
> Hi,
>
> what do you all think of rebuilding the world with "-fstack-check" (either now or later on) ?
>
> That would make gcc emit code to always grow the stack in a way that it certainly touches each 4 KiB (parametrizable by STACK_CHECK_PROBE_INTERVAL_EXP) page on the way.
>
> I think that would be the right and permanent fix - unlike the whack-a-mole approach where we patch programs not to do what they are supposed to do, if their stack allocation happens to grow.
>
> See also <https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt> and <https://gcc.gnu.org/onlinedocs/gccint/Stack-Checking.html>.
Red Hat investigated this during the embargo[0] and found that the
current implementation in GCC has problems[1]. We should wait until
those issues are resolved first, but sounds good to me.
[0] http://seclists.org/oss-sec/2017/q2/556
[1] http://seclists.org/oss-sec/2017/q2/505
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check
2017-06-25 10:41 ` Marius Bakke
@ 2017-06-25 13:19 ` Leo Famulari
0 siblings, 0 replies; 37+ messages in thread
From: Leo Famulari @ 2017-06-25 13:19 UTC (permalink / raw)
To: 27429, mbakke, dannym
I agree, let's wait for guidance from the upstream GCC and GLIBC developers.
-------- Original Message --------
From: Marius Bakke <mbakke@fastmail.com>
Sent: June 25, 2017 6:41:06 AM EDT
To: Danny Milosavljevic <dannym@scratchpost.org>, 27429@debbugs.gnu.org
Subject: bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check
Danny Milosavljevic <dannym@scratchpost.org> writes:
> Hi,
>
> what do you all think of rebuilding the world with "-fstack-check" (either now or later on) ?
>
> That would make gcc emit code to always grow the stack in a way that it certainly touches each 4 KiB (parametrizable by STACK_CHECK_PROBE_INTERVAL_EXP) page on the way.
>
> I think that would be the right and permanent fix - unlike the whack-a-mole approach where we patch programs not to do what they are supposed to do, if their stack allocation happens to grow.
>
> See also <https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt> and <https://gcc.gnu.org/onlinedocs/gccint/Stack-Checking.html>.
Red Hat investigated this during the embargo[0] and found that the
current implementation in GCC has problems[1]. We should wait until
those issues are resolved first, but sounds good to me.
[0] http://seclists.org/oss-sec/2017/q2/556
[1] http://seclists.org/oss-sec/2017/q2/505
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-24 7:11 ` Mark H Weaver
@ 2017-06-26 8:41 ` Ludovic Courtès
2017-06-26 11:19 ` Mark H Weaver
0 siblings, 1 reply; 37+ messages in thread
From: Ludovic Courtès @ 2017-06-26 8:41 UTC (permalink / raw)
To: Mark H Weaver; +Cc: 27429
Hi Mark,
Mark H Weaver <mhw@netris.org> skribis:
> I tried to copy the .drv files for the grafted 'glibc-final' and
> 'glibc-final-with-bootstrap-bash' from my machine to Hydra, in order to
> ask Hydra to build it, but both "guix copy" and "guix archive --export"
> failed:
>
> mhw@jojen ~$ guix copy --to=hydra@hydra /gnu/store/17gcwll4a2y3cjk8jf3fg2gr105m9f4i-glibc-2.25.drv /gnu/store/78j5arbcgjfbj0m91fn6p5s71kz7w2yw-glibc-2.25.drv
> sending 11 store items to 'localhost'...
> guix copy: error: corrupt input while restoring archive from #<closed: file 231bbd0>
> mhw@jojen ~$ guix archive --export /gnu/store/17gcwll4a2y3cjk8jf3fg2gr105m9f4i-glibc-2.25.drv /gnu/store/78j5arbcgjfbj0m91fn6p5s71kz7w2yw-glibc-2.25.drv > GRAFTED-GLIBC-DRVS.nar
> guix archive: error: corrupt input while restoring archive from #<closed: file 17e9d20>
Apparently they got built at some point.
As for the problems above: error reporting in ‘guix copy’ is suboptimal
(help welcome!), and the ‘guix archive --export’ problem looks like a
bug; could you report it?
> I'm concerned that i686 and armhf users are going to have a rude
> awakening when they not only have to build two variants of glibc, but
> also a bunch of the early bootstrap because the NARs are not available
> on Hydra. It would be good if someone could take care of that.
Doing:
--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix build -e '(begin (use-modules (guix)) (package-replacement (@@ (gnu packages commencement) glibc-final)))' -s i686-linux --log-file --no-grafts
https://mirror.hydra.gnu.org/log/ivvdx2m0p6gnmcxmz355z106ffqg9p25-glibc-2.25.drv
--8<---------------cut here---------------end--------------->8---
I see that glibc fails to build on i686 (but I think you’ve just fixed
it?):
--8<---------------cut here---------------start------------->8---
i686-guix-linux-gnu-gcc ../sysdeps/i386/i686/multiarch/strcspn-c.c -c -std=gnu11 -fgnu89-inline -O2 -Wall -Werror -Wundef -Wwrite-strings -fmerge-all-constants -fno-stack-protector -frounding-math -g -Wstrict-prototypes -Wold-style-definition -fPIC -Wa,-mtune=i686 -mno-sse -mno-mmx -mfpmath=387 -msse4 -ftls-model=initial-exec -I../include -I/tmp/guix-build-glibc-2.25.drv-0/build/string -I/tmp/guix-build-glibc-2.25.drv-0/build -I../sysdeps/unix/sysv/linux/i386/i686 -I../sysdeps/i386/i686/nptl -I../sysdeps/unix/sysv/linux/i386 -I../sysdeps/unix/sysv/linux/x86 -I../sysdeps/i386/nptl -I../sysdeps/unix/sysv/linux/include -I../sysdeps/unix/sysv/linux -I../sysdeps/nptl -I../sysdeps/pthread -I../sysdeps/gnu -I../sysdeps/unix/inet -I../sysdeps/unix/sysv -I../sysdeps/unix/i386 -I../sysdeps/unix -I../sysdeps/posix -I../sysdeps/i386/i686/fpu/multiarch -I../sysdeps/i386/i686/fpu -I../sysdeps/i386/i686/multiarch -I../sysdeps/i386/i686 -I../sysdeps/i386/fpu -I../sysdeps/x86/fpu/include -I../sysdeps/x86/fpu -I../sysdeps/i386 -I../sysdeps/x86 -I../sysdeps/wordsize-32 -I../sysdeps/ieee754/ldbl-96/include -I../sysdeps/ieee754/ldbl-96 -I../sysdeps/ieee754/dbl-64 -I../sysdeps/ieee754/flt-32 -I../sysdeps/ieee754 -I../sysdeps/generic -I.. -I../libio -I. -nostdinc -isystem /gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include -isystem /gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include-fixed -isystem /gnu/store/cwls4k58gw85lsrm2m2icpgwhvd0452n-linux-libre-headers-4.4.47/include -D_LIBC_REENTRANT -include /tmp/guix-build-glibc-2.25.drv-0/build/libc-modules.h -DMODULE_NAME=rtld -include ../include/libc-symbols.h -DPIC -DSHARED -o /tmp/guix-build-glibc-2.25.drv-0/build/string/rtld-strcspn-c.os -MD -MP -MF /tmp/guix-build-glibc-2.25.drv-0/build/string/rtld-strcspn-c.os.dt -MT /tmp/guix-build-glibc-2.25.drv-0/build/string/rtld-strcspn-c.os -mno-sse -mno-mmx -mfpmath=387
In file included from ../sysdeps/x86_64/multiarch/strcspn-c.c:22:0,
from ../sysdeps/i386/i686/multiarch/strcspn-c.c:2:
../sysdeps/x86_64/multiarch/varshift.h: In function '__m128i_shift_right':
../sysdeps/x86_64/multiarch/varshift.h:26:1: error: SSE vector return without SSE enabled changes the ABI [-Werror=psabi]
{
^
In file included from /gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include/smmintrin.h:32:0,
from /gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include/nmmintrin.h:31,
from ../sysdeps/x86_64/multiarch/strcspn-c.c:20,
from ../sysdeps/i386/i686/multiarch/strcspn-c.c:2:
/gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include/tmmintrin.h:136:1: error: inlining failed in call to always_inline '_mm_shuffle_epi8': target specific option mismatch
_mm_shuffle_epi8 (__m128i __X, __m128i __Y)
^
In file included from ../sysdeps/x86_64/multiarch/strcspn-c.c:22:0,
from ../sysdeps/i386/i686/multiarch/strcspn-c.c:2:
../sysdeps/x86_64/multiarch/varshift.h:27:10: error: called from here
return _mm_shuffle_epi8 (value,
^
In file included from /gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include/pmmintrin.h:31:0,
from /gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include/tmmintrin.h:31,
from /gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include/smmintrin.h:32,
from /gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include/nmmintrin.h:31,
from ../sysdeps/x86_64/multiarch/strcspn-c.c:20,
from ../sysdeps/i386/i686/multiarch/strcspn-c.c:2:
/gnu/store/85qsxn71dn6944df5kcvkxg0nm3xdg6z-gcc-cross-boot0-5.4.0-lib/lib/gcc/i686-guix-linux-gnu/5.4.0/include/emmintrin.h:696:1: error: inlining failed in call to always_inline '_mm_loadu_si128': target specific option mismatch
_mm_loadu_si128 (__m128i const *__P)
^
In file included from ../sysdeps/x86_64/multiarch/strcspn-c.c:22:0,
from ../sysdeps/i386/i686/multiarch/strcspn-c.c:2:
../sysdeps/x86_64/multiarch/varshift.h:27:10: error: called from here
return _mm_shuffle_epi8 (value,
^
cc1: all warnings being treated as errors
make[4]: *** [/tmp/guix-build-glibc-2.25.drv-0/build/sysd-rules:561: /tmp/guix-build-glibc-2.25.drv-0/build/string/rtld-strcspn-c.os] Error 1
make[4]: Leaving directory '/tmp/guix-build-glibc-2.25.drv-0/glibc-2.25/string'
make[3]: *** [../o-iterator.mk:9: /tmp/guix-build-glibc-2.25.drv-0/build/string/rtld-strchr.os] Error 2
make[3]: Leaving directory '/tmp/guix-build-glibc-2.25.drv-0/glibc-2.25/elf'
make[2]: *** [Makefile:443: /tmp/guix-build-glibc-2.25.drv-0/build/elf/rtld-libc.a] Error 2
make[2]: Leaving directory '/tmp/guix-build-glibc-2.25.drv-0/glibc-2.25/elf'
make[1]: *** [Makefile:215: elf/subdir_lib] Error 2
make[1]: Leaving directory '/tmp/guix-build-glibc-2.25.drv-0/glibc-2.25'
make: *** [Makefile:9: all] Error 2
phase `build' failed after 327.9 seconds
builder for `/gnu/store/ivvdx2m0p6gnmcxmz355z106ffqg9p25-glibc-2.25.drv' failed with exit code 1
--8<---------------cut here---------------end--------------->8---
The ARM variant builds fine though:
--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix build -e '(begin (use-modules (guix)) (package-replacement (@@ (gnu packages commencement) glibc-final)))' -s armhf-linux -n --substitute-urls=https://hydra.gnu.org
substitute: updating list of substitutes from 'https://hydra.gnu.org'... 100.0%
27.4 MB would be downloaded:
/gnu/store/9xcjggbxli1gdp9daz97v1f1f0yxnsxv-glibc-2.25-debug
/gnu/store/4i5ih43cjk3syk8r24lc12snqfd9dm8m-glibc-2.25
$ git describe
v0.13.0-1020-ga1b46bdc0
--8<---------------cut here---------------end--------------->8---
Ludo’.
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-26 8:41 ` Ludovic Courtès
@ 2017-06-26 11:19 ` Mark H Weaver
2017-06-27 13:57 ` Ludovic Courtès
0 siblings, 1 reply; 37+ messages in thread
From: Mark H Weaver @ 2017-06-26 11:19 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 27429
Hi Ludovic,
ludo@gnu.org (Ludovic Courtès) writes:
> Mark H Weaver <mhw@netris.org> skribis:
>
>> I tried to copy the .drv files for the grafted 'glibc-final' and
>> 'glibc-final-with-bootstrap-bash' from my machine to Hydra, in order to
>> ask Hydra to build it, but both "guix copy" and "guix archive --export"
>> failed:
>>
>> mhw@jojen ~$ guix copy --to=hydra@hydra
>> /gnu/store/17gcwll4a2y3cjk8jf3fg2gr105m9f4i-glibc-2.25.drv
>> /gnu/store/78j5arbcgjfbj0m91fn6p5s71kz7w2yw-glibc-2.25.drv
>> sending 11 store items to 'localhost'...
>> guix copy: error: corrupt input while restoring archive from #<closed: file 231bbd0>
>> mhw@jojen ~$ guix archive --export
>> /gnu/store/17gcwll4a2y3cjk8jf3fg2gr105m9f4i-glibc-2.25.drv
>> /gnu/store/78j5arbcgjfbj0m91fn6p5s71kz7w2yw-glibc-2.25.drv >
>> GRAFTED-GLIBC-DRVS.nar
>> guix archive: error: corrupt input while restoring archive from #<closed: file 17e9d20>
>
> Apparently they got built at some point.
Yes, I ran "guix pull" for user mhw on Hydra, and then asked it to build
a grafted 'hello' for all three hydra-supported platforms. This
entailed building a grafted 'glibc-final' as well as 'perl' and 'expat'.
I then ran:
guix challenge --substitute-urls=https://hydra.gnu.org /gnu/store/...
to generate narinfo requests for the relevant outputs, on the theory
that this would cause guix-publish to build NARs. (Am I right?)
> As for the problems above: error reporting in ‘guix copy’ is suboptimal
> (help welcome!), and the ‘guix archive --export’ problem looks like a
> bug; could you report it?
Sure.
>> I'm concerned that i686 and armhf users are going to have a rude
>> awakening when they not only have to build two variants of glibc, but
>> also a bunch of the early bootstrap because the NARs are not available
>> on Hydra. It would be good if someone could take care of that.
>
> Doing:
>
> $ ./pre-inst-env guix build -e '(begin (use-modules (guix)) (package-replacement (@@ (gnu packages commencement) glibc-final)))' -s i686-linux --log-file --no-grafts
> https://mirror.hydra.gnu.org/log/ivvdx2m0p6gnmcxmz355z106ffqg9p25-glibc-2.25.drv
>
>
> I see that glibc fails to build on i686 (but I think you’ve just fixed
> it?):
Yes, I fixed the i686 problem in commit
ffc015bea26f24d862e7e877d907fbe1ab9a9967. FYI, this problem was
reported as a separate bug, which is now closed:
https://bugs.gnu.org/27489
Thanks,
Mark
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-26 11:19 ` Mark H Weaver
@ 2017-06-27 13:57 ` Ludovic Courtès
0 siblings, 0 replies; 37+ messages in thread
From: Ludovic Courtès @ 2017-06-27 13:57 UTC (permalink / raw)
To: Mark H Weaver; +Cc: 27429
Mark H Weaver <mhw@netris.org> skribis:
> Yes, I ran "guix pull" for user mhw on Hydra, and then asked it to build
> a grafted 'hello' for all three hydra-supported platforms. This
> entailed building a grafted 'glibc-final' as well as 'perl' and 'expat'.
> I then ran:
>
> guix challenge --substitute-urls=https://hydra.gnu.org /gnu/store/...
>
> to generate narinfo requests for the relevant outputs, on the theory
> that this would cause guix-publish to build NARs. (Am I right?)
You are, that’s a good strategy. :-)
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-23 17:20 ` bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
2017-06-23 18:36 ` Mark H Weaver
@ 2017-06-28 21:55 ` Leo Famulari
1 sibling, 0 replies; 37+ messages in thread
From: Leo Famulari @ 2017-06-28 21:55 UTC (permalink / raw)
Cc: 27429
[-- Attachment #1: Type: text/plain, Size: 273 bytes --]
On Fri, Jun 23, 2017 at 01:20:38PM -0400, Leo Famulari wrote:
> By the way, Qualys will probably begin publishing their exploits on
> Tuesday [0]:
Here they are:
http://seclists.org/oss-sec/2017/q2/635
It would be good if we tested the relevant exploits against GuixSD.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-22 6:44 ` Mark H Weaver
2017-06-22 16:17 ` Leo Famulari
@ 2017-06-29 10:58 ` Ludovic Courtès
2017-06-29 15:49 ` Mark H Weaver
1 sibling, 1 reply; 37+ messages in thread
From: Ludovic Courtès @ 2017-06-29 10:58 UTC (permalink / raw)
To: Mark H Weaver; +Cc: 27429
[-- Attachment #1: Type: text/plain, Size: 330 bytes --]
Hello gentlefolks!
As discussed yesterday on IRC, here’s a patch that applies the glibc
patches for CVE-2017-1000366 in ‘core-updates’.
That’s a rebuild-the-world change but we still have work to do in
‘core-updates’ anyway, notably regarding the Perl dot-in-@INC issue.
OK for you?
Thanks,
Ludo’.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: the patch --]
[-- Type: text/x-patch, Size: 15440 bytes --]
From 0118abc2ffd880c704f66294cf76ce0b8ddae803 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Thu, 29 Jun 2017 12:53:14 +0200
Subject: [PATCH] gnu: glibc/linux: Add patches for CVE-2017-1000366.
* gnu/packages/patches/glibc-CVE-2017-1000366-pt1.patch,
gnu/packages/patches/glibc-CVE-2017-1000366-pt2.patch,
gnu/packages/patches/glibc-CVE-2017-1000366-pt3.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/base.scm (glibc/linux)[source](patches): Add them.
---
gnu/local.mk | 3 +
gnu/packages/base.scm | 5 +-
.../patches/glibc-CVE-2017-1000366-pt1.patch | 36 ++++
.../patches/glibc-CVE-2017-1000366-pt2.patch | 124 +++++++++++++
.../patches/glibc-CVE-2017-1000366-pt3.patch | 206 +++++++++++++++++++++
5 files changed, 373 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/glibc-CVE-2017-1000366-pt1.patch
create mode 100644 gnu/packages/patches/glibc-CVE-2017-1000366-pt2.patch
create mode 100644 gnu/packages/patches/glibc-CVE-2017-1000366-pt3.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 1ae2a2d26..06bd98112 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -622,6 +622,9 @@ dist_patch_DATA = \
%D%/packages/patches/ghostscript-runpath.patch \
%D%/packages/patches/glib-networking-ssl-cert-file.patch \
%D%/packages/patches/glib-tests-timer.patch \
+ %D%/packages/patches/glibc-CVE-2017-1000366-pt1.patch \
+ %D%/packages/patches/glibc-CVE-2017-1000366-pt2.patch \
+ %D%/packages/patches/glibc-CVE-2017-1000366-pt3.patch \
%D%/packages/patches/glibc-bootstrap-system.patch \
%D%/packages/patches/glibc-ldd-x86_64.patch \
%D%/packages/patches/glibc-locales.patch \
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index b9364f81f..f5aea0812 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -532,7 +532,10 @@ store.")
(patches (search-patches "glibc-ldd-x86_64.patch"
"glibc-versioned-locpath.patch"
"glibc-o-largefile.patch"
- "glibc-memchr-overflow-i686.patch"))))
+ "glibc-memchr-overflow-i686.patch"
+ "glibc-CVE-2017-1000366-pt1.patch"
+ "glibc-CVE-2017-1000366-pt2.patch"
+ "glibc-CVE-2017-1000366-pt3.patch"))))
(build-system gnu-build-system)
;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366-pt1.patch b/gnu/packages/patches/glibc-CVE-2017-1000366-pt1.patch
new file mode 100644
index 000000000..71e80968b
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2017-1000366-pt1.patch
@@ -0,0 +1,36 @@
+From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 19 Jun 2017 17:09:55 +0200
+Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
+ programs [BZ #21624]
+
+LD_LIBRARY_PATH can only be used to reorder system search paths, which
+is not useful functionality.
+
+This makes an exploitable unbounded alloca in _dl_init_paths unreachable
+for AT_SECURE=1 programs.
+
+patch from:
+https://sourceware.org/git/?p=glibc.git;a=commit;h=f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d
+---
+ ChangeLog | 7 +++++++
+ elf/rtld.c | 3 ++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 2446a87..2269dbe 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep)
+
+ case 12:
+ /* The library search path. */
+- if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
++ if (!__libc_enable_secure
++ && memcmp (envline, "LIBRARY_PATH", 12) == 0)
+ {
+ library_path = &envline[13];
+ break;
+--
+2.9.3
+
diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366-pt2.patch b/gnu/packages/patches/glibc-CVE-2017-1000366-pt2.patch
new file mode 100644
index 000000000..4b859c4bf
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2017-1000366-pt2.patch
@@ -0,0 +1,124 @@
+From 6d0ba622891bed9d8394eef1935add53003b12e8 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 19 Jun 2017 22:31:04 +0200
+Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements
+
+patch from:
+https://sourceware.org/git/?p=glibc.git;a=patch;h=6d0ba622891bed9d8394eef1935add53003b12e8
+
+---
+ ChangeLog | 7 ++++++
+ elf/rtld.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++------------
+ 2 files changed, 73 insertions(+), 16 deletions(-)
+
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 2269dbe..86ae20c 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -99,6 +99,35 @@ uintptr_t __pointer_chk_guard_local
+ strong_alias (__pointer_chk_guard_local, __pointer_chk_guard)
+ #endif
+
++/* Length limits for names and paths, to protect the dynamic linker,
++ particularly when __libc_enable_secure is active. */
++#ifdef NAME_MAX
++# define SECURE_NAME_LIMIT NAME_MAX
++#else
++# define SECURE_NAME_LIMIT 255
++#endif
++#ifdef PATH_MAX
++# define SECURE_PATH_LIMIT PATH_MAX
++#else
++# define SECURE_PATH_LIMIT 1024
++#endif
++
++/* Check that AT_SECURE=0, or that the passed name does not contain
++ directories and is not overly long. Reject empty names
++ unconditionally. */
++static bool
++dso_name_valid_for_suid (const char *p)
++{
++ if (__glibc_unlikely (__libc_enable_secure))
++ {
++ /* Ignore pathnames with directories for AT_SECURE=1
++ programs, and also skip overlong names. */
++ size_t len = strlen (p);
++ if (len >= SECURE_NAME_LIMIT || memchr (p, '/', len) != NULL)
++ return false;
++ }
++ return *p != '\0';
++}
+
+ /* List of auditing DSOs. */
+ static struct audit_list
+@@ -718,6 +747,42 @@ static const char *preloadlist attribute_relro;
+ /* Nonzero if information about versions has to be printed. */
+ static int version_info attribute_relro;
+
++/* The LD_PRELOAD environment variable gives list of libraries
++ separated by white space or colons that are loaded before the
++ executable's dependencies and prepended to the global scope list.
++ (If the binary is running setuid all elements containing a '/' are
++ ignored since it is insecure.) Return the number of preloads
++ performed. */
++unsigned int
++handle_ld_preload (const char *preloadlist, struct link_map *main_map)
++{
++ unsigned int npreloads = 0;
++ const char *p = preloadlist;
++ char fname[SECURE_PATH_LIMIT];
++
++ while (*p != '\0')
++ {
++ /* Split preload list at space/colon. */
++ size_t len = strcspn (p, " :");
++ if (len > 0 && len < sizeof (fname))
++ {
++ memcpy (fname, p, len);
++ fname[len] = '\0';
++ }
++ else
++ fname[0] = '\0';
++
++ /* Skip over the substring and the following delimiter. */
++ p += len;
++ if (*p != '\0')
++ ++p;
++
++ if (dso_name_valid_for_suid (fname))
++ npreloads += do_preload (fname, main_map, "LD_PRELOAD");
++ }
++ return npreloads;
++}
++
+ static void
+ dl_main (const ElfW(Phdr) *phdr,
+ ElfW(Word) phnum,
+@@ -1464,23 +1529,8 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+
+ if (__glibc_unlikely (preloadlist != NULL))
+ {
+- /* The LD_PRELOAD environment variable gives list of libraries
+- separated by white space or colons that are loaded before the
+- executable's dependencies and prepended to the global scope
+- list. If the binary is running setuid all elements
+- containing a '/' are ignored since it is insecure. */
+- char *list = strdupa (preloadlist);
+- char *p;
+-
+ HP_TIMING_NOW (start);
+-
+- /* Prevent optimizing strsep. Speed is not important here. */
+- while ((p = (strsep) (&list, " :")) != NULL)
+- if (p[0] != '\0'
+- && (__builtin_expect (! __libc_enable_secure, 1)
+- || strchr (p, '/') == NULL))
+- npreloads += do_preload (p, main_map, "LD_PRELOAD");
+-
++ npreloads += handle_ld_preload (preloadlist, main_map);
+ HP_TIMING_NOW (stop);
+ HP_TIMING_DIFF (diff, start, stop);
+ HP_TIMING_ACCUM_NT (load_time, diff);
+--
+2.9.3
+
diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366-pt3.patch b/gnu/packages/patches/glibc-CVE-2017-1000366-pt3.patch
new file mode 100644
index 000000000..3d8f6d2bf
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2017-1000366-pt3.patch
@@ -0,0 +1,206 @@
+From 81b82fb966ffbd94353f793ad17116c6088dedd9 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 19 Jun 2017 22:32:12 +0200
+Subject: [PATCH] ld.so: Reject overly long LD_AUDIT path elements
+
+Also only process the last LD_AUDIT entry.
+
+patch from:
+https://sourceware.org/git/?p=glibc.git;a=commit;h=81b82fb966ffbd94353f793ad17116c6088dedd9
+
+---
+ ChangeLog | 11 +++++++
+ elf/rtld.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++---------
+ 2 files changed, 106 insertions(+), 15 deletions(-)
+
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 86ae20c..65647fb 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -129,13 +129,91 @@ dso_name_valid_for_suid (const char *p)
+ return *p != '\0';
+ }
+
+-/* List of auditing DSOs. */
++/* LD_AUDIT variable contents. Must be processed before the
++ audit_list below. */
++const char *audit_list_string;
++
++/* Cyclic list of auditing DSOs. audit_list->next is the first
++ element. */
+ static struct audit_list
+ {
+ const char *name;
+ struct audit_list *next;
+ } *audit_list;
+
++/* Iterator for audit_list_string followed by audit_list. */
++struct audit_list_iter
++{
++ /* Tail of audit_list_string still needing processing, or NULL. */
++ const char *audit_list_tail;
++
++ /* The list element returned in the previous iteration. NULL before
++ the first element. */
++ struct audit_list *previous;
++
++ /* Scratch buffer for returning a name which is part of
++ audit_list_string. */
++ char fname[SECURE_NAME_LIMIT];
++};
++
++/* Initialize an audit list iterator. */
++static void
++audit_list_iter_init (struct audit_list_iter *iter)
++{
++ iter->audit_list_tail = audit_list_string;
++ iter->previous = NULL;
++}
++
++/* Iterate through both audit_list_string and audit_list. */
++static const char *
++audit_list_iter_next (struct audit_list_iter *iter)
++{
++ if (iter->audit_list_tail != NULL)
++ {
++ /* First iterate over audit_list_string. */
++ while (*iter->audit_list_tail != '\0')
++ {
++ /* Split audit list at colon. */
++ size_t len = strcspn (iter->audit_list_tail, ":");
++ if (len > 0 && len < sizeof (iter->fname))
++ {
++ memcpy (iter->fname, iter->audit_list_tail, len);
++ iter->fname[len] = '\0';
++ }
++ else
++ /* Do not return this name to the caller. */
++ iter->fname[0] = '\0';
++
++ /* Skip over the substring and the following delimiter. */
++ iter->audit_list_tail += len;
++ if (*iter->audit_list_tail == ':')
++ ++iter->audit_list_tail;
++
++ /* If the name is valid, return it. */
++ if (dso_name_valid_for_suid (iter->fname))
++ return iter->fname;
++ /* Otherwise, wrap around and try the next name. */
++ }
++ /* Fall through to the procesing of audit_list. */
++ }
++
++ if (iter->previous == NULL)
++ {
++ if (audit_list == NULL)
++ /* No pre-parsed audit list. */
++ return NULL;
++ /* Start of audit list. The first list element is at
++ audit_list->next (cyclic list). */
++ iter->previous = audit_list->next;
++ return iter->previous->name;
++ }
++ if (iter->previous == audit_list)
++ /* Cyclic list wrap-around. */
++ return NULL;
++ iter->previous = iter->previous->next;
++ return iter->previous->name;
++}
++
+ #ifndef HAVE_INLINED_SYSCALLS
+ /* Set nonzero during loading and initialization of executable and
+ libraries, cleared before the executable's entry point runs. This
+@@ -1305,11 +1383,13 @@ of this helper program; chances are you did not intend to run this program.\n\
+ GL(dl_rtld_map).l_tls_modid = _dl_next_tls_modid ();
+
+ /* If we have auditing DSOs to load, do it now. */
+- if (__glibc_unlikely (audit_list != NULL))
++ bool need_security_init = true;
++ if (__glibc_unlikely (audit_list != NULL)
++ || __glibc_unlikely (audit_list_string != NULL))
+ {
+- /* Iterate over all entries in the list. The order is important. */
+ struct audit_ifaces *last_audit = NULL;
+- struct audit_list *al = audit_list->next;
++ struct audit_list_iter al_iter;
++ audit_list_iter_init (&al_iter);
+
+ /* Since we start using the auditing DSOs right away we need to
+ initialize the data structures now. */
+@@ -1320,9 +1400,14 @@ of this helper program; chances are you did not intend to run this program.\n\
+ use different values (especially the pointer guard) and will
+ fail later on. */
+ security_init ();
++ need_security_init = false;
+
+- do
++ while (true)
+ {
++ const char *name = audit_list_iter_next (&al_iter);
++ if (name == NULL)
++ break;
++
+ int tls_idx = GL(dl_tls_max_dtv_idx);
+
+ /* Now it is time to determine the layout of the static TLS
+@@ -1331,7 +1416,7 @@ of this helper program; chances are you did not intend to run this program.\n\
+ no DF_STATIC_TLS bit is set. The reason is that we know
+ glibc will use the static model. */
+ struct dlmopen_args dlmargs;
+- dlmargs.fname = al->name;
++ dlmargs.fname = name;
+ dlmargs.map = NULL;
+
+ const char *objname;
+@@ -1344,7 +1429,7 @@ of this helper program; chances are you did not intend to run this program.\n\
+ not_loaded:
+ _dl_error_printf ("\
+ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+- al->name, err_str);
++ name, err_str);
+ if (malloced)
+ free ((char *) err_str);
+ }
+@@ -1448,10 +1533,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+ goto not_loaded;
+ }
+ }
+-
+- al = al->next;
+ }
+- while (al != audit_list->next);
+
+ /* If we have any auditing modules, announce that we already
+ have two objects loaded. */
+@@ -1715,7 +1797,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+ if (tcbp == NULL)
+ tcbp = init_tls ();
+
+- if (__glibc_likely (audit_list == NULL))
++ if (__glibc_likely (need_security_init))
+ /* Initialize security features. But only if we have not done it
+ earlier. */
+ security_init ();
+@@ -2346,9 +2428,7 @@ process_dl_audit (char *str)
+ char *p;
+
+ while ((p = (strsep) (&str, ":")) != NULL)
+- if (p[0] != '\0'
+- && (__builtin_expect (! __libc_enable_secure, 1)
+- || strchr (p, '/') == NULL))
++ if (dso_name_valid_for_suid (p))
+ {
+ /* This is using the local malloc, not the system malloc. The
+ memory can never be freed. */
+@@ -2412,7 +2492,7 @@ process_envvars (enum mode *modep)
+ break;
+ }
+ if (memcmp (envline, "AUDIT", 5) == 0)
+- process_dl_audit (&envline[6]);
++ audit_list_string = &envline[6];
+ break;
+
+ case 7:
+--
+2.9.3
+
--
2.13.1
^ permalink raw reply related [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-29 10:58 ` Ludovic Courtès
@ 2017-06-29 15:49 ` Mark H Weaver
2017-06-29 20:06 ` Ludovic Courtès
0 siblings, 1 reply; 37+ messages in thread
From: Mark H Weaver @ 2017-06-29 15:49 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 27429
ludo@gnu.org (Ludovic Courtès) writes:
> As discussed yesterday on IRC, here’s a patch that applies the glibc
> patches for CVE-2017-1000366 in ‘core-updates’.
>
> That’s a rebuild-the-world change but we still have work to do in
> ‘core-updates’ anyway, notably regarding the Perl dot-in-@INC issue.
>
> OK for you?
Sounds good to me, but I've already merged 'master' into 'core-updates'
with this as a graft, so what's remains is to ungraft it there.
Also note that when I merged it, I forgot to add
"glibc-memchr-overflow-i686.patch" to the older variants of 'glibc'.
Unfortunately, this was a case where git merge automatically did the
wrong thing, without any conflict. I was going to fix this soon by
eliminating the redundant lists of patches, but now I won't have to.
Thanks,
Mark
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-29 15:49 ` Mark H Weaver
@ 2017-06-29 20:06 ` Ludovic Courtès
2017-06-29 21:03 ` bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)] Leo Famulari
0 siblings, 1 reply; 37+ messages in thread
From: Ludovic Courtès @ 2017-06-29 20:06 UTC (permalink / raw)
To: Mark H Weaver; +Cc: 27429
Mark H Weaver <mhw@netris.org> skribis:
> ludo@gnu.org (Ludovic Courtès) writes:
>
>> As discussed yesterday on IRC, here’s a patch that applies the glibc
>> patches for CVE-2017-1000366 in ‘core-updates’.
>>
>> That’s a rebuild-the-world change but we still have work to do in
>> ‘core-updates’ anyway, notably regarding the Perl dot-in-@INC issue.
>>
>> OK for you?
>
> Sounds good to me, but I've already merged 'master' into 'core-updates'
> with this as a graft, so what's remains is to ungraft it there.
Indeed. I rebased and adjusted the patch and pushed as
503a4df904b8d4b82caebdb17db9c5f76a952418.
Leo, let me know when you feel that we should start a new evaluation.
Thank you,
Ludo’.
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)]
2017-06-29 20:06 ` Ludovic Courtès
@ 2017-06-29 21:03 ` Leo Famulari
2017-06-29 22:27 ` Ludovic Courtès
0 siblings, 1 reply; 37+ messages in thread
From: Leo Famulari @ 2017-06-29 21:03 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 27429
[-- Attachment #1.1: Type: text/plain, Size: 613 bytes --]
On Thu, Jun 29, 2017 at 10:06:08PM +0200, Ludovic Courtès wrote:
> Leo, let me know when you feel that we should start a new evaluation.
First I want to ungraft today's libgcrypt and poppler replacements.
I also want to apply the attached patch so we can stop using
libgcrypt-1.5 with Shishi, and instead use the latest libgcrypt. This
patch does require us to re-bootstrap Shishi, but I think it's worth it
if it means we can drop the older libgcrypt package. Does anyone have
feedback on this patch?
I'll do some local testing of this change in the next few hours and then
start the evaluation.
[-- Attachment #1.2: 0001-gnu-shishi-Build-with-latest-libgcrypt.patch --]
[-- Type: text/plain, Size: 6450 bytes --]
From 83fcaa7aac05f499a985ec02db55458e2d719de3 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 29 Jun 2017 04:11:18 -0400
Subject: [PATCH] gnu: shishi: Build with latest libgcrypt.
* gnu/packages/patches/shishi-fix-libgcrypt-detection.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/kerberos.scm (shishi)[source]: Use it.
[inputs]: Replace libgcrypt-1.5 with libgcrypt.
[native-inputs]: Add bootstrapping inputs.
[arguments]: Add a 'bootstrap' phase.
* gnu/packages/gnupg.scm (libgcrypt-1.5): Remove variable.
---
gnu/local.mk | 1 +
gnu/packages/gnupg.scm | 12 --------
gnu/packages/kerberos.scm | 28 ++++++++++++-------
.../patches/shishi-fix-libgcrypt-detection.patch | 32 ++++++++++++++++++++++
4 files changed, 51 insertions(+), 22 deletions(-)
create mode 100644 gnu/packages/patches/shishi-fix-libgcrypt-detection.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index b0690eda5..133eb977c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -986,6 +986,7 @@ dist_patch_DATA = \
%D%/packages/patches/scotch-test-threading.patch \
%D%/packages/patches/sdl-libx11-1.6.patch \
%D%/packages/patches/seq24-rename-mutex.patch \
+ %D%/packages/patches/shishi-fix-libgcrypt-detection.patch \
%D%/packages/patches/slim-session.patch \
%D%/packages/patches/slim-config.patch \
%D%/packages/patches/slim-sigusr1.patch \
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index 9efd32a3f..c5a9a8954 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -115,18 +115,6 @@ generation.")
(properties '((ftp-server . "ftp.gnupg.org")
(ftp-directory . "/gcrypt/libgcrypt")))))
-(define-public libgcrypt-1.5
- (package (inherit libgcrypt)
- (version "1.5.6")
- (source
- (origin
- (method url-fetch)
- (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
- version ".tar.bz2"))
- (sha256
- (base32
- "0ydy7bgra5jbq9mxl5x031nif3m6y3balc6ndw2ngj11wnsjc61h"))))))
-
(define-public libassuan
(package
(name "libassuan")
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 6be7c82bc..20f36d11d 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -23,8 +23,10 @@
(define-module (gnu packages kerberos)
#:use-module (gnu packages)
+ #:use-module (gnu packages autotools)
#:use-module (gnu packages bison)
#:use-module (gnu packages perl)
+ #:use-module (gnu packages gettext)
#:use-module (gnu packages gnupg)
#:use-module (gnu packages libidn)
#:use-module (gnu packages linux)
@@ -32,6 +34,7 @@
#:use-module (gnu packages compression)
#:use-module (gnu packages databases)
#:use-module (gnu packages readline)
+ #:use-module (gnu packages texinfo)
#:use-module (gnu packages tls)
#:use-module ((guix licenses) #:prefix license:)
#:use-module (guix packages)
@@ -104,25 +107,30 @@ cryptography.")
(method url-fetch)
(uri (string-append "mirror://gnu/shishi/shishi-"
version ".tar.gz"))
+ (patches (search-patches "shishi-fix-libgcrypt-detection.patch"))
(sha256
(base32
"032qf72cpjdfffq1yq54gz3ahgqf2ijca4vl31sfabmjzq9q370d"))))
(build-system gnu-build-system)
- (native-inputs `(("pkg-config" ,pkg-config)))
+ (arguments
+ `(#:phases
+ (modify-phases %standard-phases
+ (add-before 'configure 'bootstrap
+ (lambda _ (zero? (system* "autoreconf" "-vfi")))))))
+ (native-inputs `(("pkg-config" ,pkg-config)
+ ;; XXX For bootstrapping. Remove for the next Shishi
+ ;; release after 1.0.2.
+ ("autoconf" ,autoconf)
+ ("automake" ,automake)
+ ("gettext" ,gnu-gettext)
+ ("libtool" ,libtool)
+ ("texinfo" ,texinfo)))
(inputs
`(("gnutls" ,gnutls)
("libidn" ,libidn)
("linux-pam" ,linux-pam-1.2)
("zlib" ,zlib)
- ;; libgcrypt 1.6 fails because of the following test:
- ;; #include <gcrypt.h>
- ;; /* GCRY_MODULE_ID_USER was added in 1.4.4 and gc-libgcrypt.c
- ;; will fail on startup if we don't have 1.4.4 or later, so
- ;; test for it early. */
- ;; #if !defined GCRY_MODULE_ID_USER
- ;; error too old libgcrypt
- ;; #endif
- ("libgcrypt" ,libgcrypt-1.5)
+ ("libgcrypt" ,libgcrypt)
("libtasn1" ,libtasn1)))
(home-page "https://www.gnu.org/software/shishi/")
(synopsis "Implementation of the Kerberos 5 network security system")
diff --git a/gnu/packages/patches/shishi-fix-libgcrypt-detection.patch b/gnu/packages/patches/shishi-fix-libgcrypt-detection.patch
new file mode 100644
index 000000000..3db42feac
--- /dev/null
+++ b/gnu/packages/patches/shishi-fix-libgcrypt-detection.patch
@@ -0,0 +1,32 @@
+Fix building of Shishi with libgcrypt 1.6 and later.
+
+Patch copied from Debian:
+
+https://anonscm.debian.org/cgit/collab-maint/shishi.git/tree/debian/patches/fix_gcrypt_detection.diff?id=948301ae648a542a408da250755aeed58a6e3542
+
+Description: Fix autoconf gnutls detection to also accept gcrypt 1.6.
+Author: Andreas Metzler <ametzler@debian.org>
+Bug-Debian: http://bugs.debian.org/753150
+Origin: vendor
+Forwarded: no
+Last-Update: 2014-07-18
+
+--- shishi-1.0.2.orig/gl/m4/gc.m4
++++ shishi-1.0.2/gl/m4/gc.m4
+@@ -12,10 +12,12 @@ AC_DEFUN([gl_GC],
+ if test "$libgcrypt" != no; then
+ AC_LIB_HAVE_LINKFLAGS([gcrypt], [gpg-error], [
+ #include <gcrypt.h>
+-/* GCRY_MODULE_ID_USER was added in 1.4.4 and gc-libgcrypt.c
+- will fail on startup if we don't have 1.4.4 or later, so
+- test for it early. */
+-#if !defined GCRY_MODULE_ID_USER
++/* gc-libgcrypt.c will fail on startup if we don't have libgcrypt 1.4.4 or
++ later, test for it early. by checking for either
++ - GCRY_MODULE_ID_USER which was added in 1.4.4 and dropped in 1.6 or
++ - GCRYPT_VERSION_NUMBER which was added in 1.6.
++ */
++#if !defined GCRY_MODULE_ID_USER && !defined GCRYPT_VERSION_NUMBER
+ error too old libgcrypt
+ #endif
+ ])
--
2.13.2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply related [flat|nested] 37+ messages in thread
* bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)]
2017-06-29 21:03 ` bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)] Leo Famulari
@ 2017-06-29 22:27 ` Ludovic Courtès
2017-06-30 6:47 ` Leo Famulari
0 siblings, 1 reply; 37+ messages in thread
From: Ludovic Courtès @ 2017-06-29 22:27 UTC (permalink / raw)
To: Leo Famulari; +Cc: 27429
Leo Famulari <leo@famulari.name> skribis:
> On Thu, Jun 29, 2017 at 10:06:08PM +0200, Ludovic Courtès wrote:
>> Leo, let me know when you feel that we should start a new evaluation.
>
> First I want to ungraft today's libgcrypt and poppler replacements.
>
> I also want to apply the attached patch so we can stop using
> libgcrypt-1.5 with Shishi, and instead use the latest libgcrypt. This
> patch does require us to re-bootstrap Shishi, but I think it's worth it
> if it means we can drop the older libgcrypt package. Does anyone have
> feedback on this patch?
It’s a good idea.
> I'll do some local testing of this change in the next few hours and then
> start the evaluation.
>
> From 83fcaa7aac05f499a985ec02db55458e2d719de3 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Thu, 29 Jun 2017 04:11:18 -0400
> Subject: [PATCH] gnu: shishi: Build with latest libgcrypt.
>
> * gnu/packages/patches/shishi-fix-libgcrypt-detection.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/kerberos.scm (shishi)[source]: Use it.
> [inputs]: Replace libgcrypt-1.5 with libgcrypt.
> [native-inputs]: Add bootstrapping inputs.
> [arguments]: Add a 'bootstrap' phase.
> * gnu/packages/gnupg.scm (libgcrypt-1.5): Remove variable.
[...]
> (method url-fetch)
> (uri (string-append "mirror://gnu/shishi/shishi-"
> version ".tar.gz"))
> + (patches (search-patches "shishi-fix-libgcrypt-detection.patch"))
> (sha256
> (base32
> "032qf72cpjdfffq1yq54gz3ahgqf2ijca4vl31sfabmjzq9q370d"))))
> (build-system gnu-build-system)
> - (native-inputs `(("pkg-config" ,pkg-config)))
> + (arguments
> + `(#:phases
> + (modify-phases %standard-phases
> + (add-before 'configure 'bootstrap
> + (lambda _ (zero? (system* "autoreconf" "-vfi")))))))
> + (native-inputs `(("pkg-config" ,pkg-config)
> + ;; XXX For bootstrapping. Remove for the next Shishi
> + ;; release after 1.0.2.
> + ("autoconf" ,autoconf)
> + ("automake" ,automake)
> + ("gettext" ,gnu-gettext)
> + ("libtool" ,libtool)
> + ("texinfo" ,texinfo)))
I think you can achieve the same result but without adding these
dependencies etc. just by adding:
#:configure-flags '("ac_cv_libgcrypt=yes")
which I think is marginally better (but no big deal).
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)]
2017-06-29 22:27 ` Ludovic Courtès
@ 2017-06-30 6:47 ` Leo Famulari
2017-06-30 12:59 ` Ludovic Courtès
0 siblings, 1 reply; 37+ messages in thread
From: Leo Famulari @ 2017-06-30 6:47 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 27429
[-- Attachment #1: Type: text/plain, Size: 1272 bytes --]
On Fri, Jun 30, 2017 at 12:27:57AM +0200, Ludovic Courtès wrote:
> > - (native-inputs `(("pkg-config" ,pkg-config)))
> > + (arguments
> > + `(#:phases
> > + (modify-phases %standard-phases
> > + (add-before 'configure 'bootstrap
> > + (lambda _ (zero? (system* "autoreconf" "-vfi")))))))
> > + (native-inputs `(("pkg-config" ,pkg-config)
> > + ;; XXX For bootstrapping. Remove for the next Shishi
> > + ;; release after 1.0.2.
> > + ("autoconf" ,autoconf)
> > + ("automake" ,automake)
> > + ("gettext" ,gnu-gettext)
> > + ("libtool" ,libtool)
> > + ("texinfo" ,texinfo)))
>
> I think you can achieve the same result but without adding these
> dependencies etc. just by adding:
>
> #:configure-flags '("ac_cv_libgcrypt=yes")
>
> which I think is marginally better (but no big deal).
Yes, that's better. I built Shishi and GSS with it locally, pushed, and
started a core-updates evaluation.
But I don't know if we will hit this evaluation failure also on
core-updates since I merged master:
https://lists.gnu.org/archive/html/guix-devel/2017-06/msg00349.html
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)]
2017-06-30 6:47 ` Leo Famulari
@ 2017-06-30 12:59 ` Ludovic Courtès
0 siblings, 0 replies; 37+ messages in thread
From: Ludovic Courtès @ 2017-06-30 12:59 UTC (permalink / raw)
To: Leo Famulari; +Cc: 27429
Leo Famulari <leo@famulari.name> skribis:
> On Fri, Jun 30, 2017 at 12:27:57AM +0200, Ludovic Courtès wrote:
>> > - (native-inputs `(("pkg-config" ,pkg-config)))
>> > + (arguments
>> > + `(#:phases
>> > + (modify-phases %standard-phases
>> > + (add-before 'configure 'bootstrap
>> > + (lambda _ (zero? (system* "autoreconf" "-vfi")))))))
>> > + (native-inputs `(("pkg-config" ,pkg-config)
>> > + ;; XXX For bootstrapping. Remove for the next Shishi
>> > + ;; release after 1.0.2.
>> > + ("autoconf" ,autoconf)
>> > + ("automake" ,automake)
>> > + ("gettext" ,gnu-gettext)
>> > + ("libtool" ,libtool)
>> > + ("texinfo" ,texinfo)))
>>
>> I think you can achieve the same result but without adding these
>> dependencies etc. just by adding:
>>
>> #:configure-flags '("ac_cv_libgcrypt=yes")
>>
>> which I think is marginally better (but no big deal).
>
> Yes, that's better. I built Shishi and GSS with it locally, pushed, and
> started a core-updates evaluation.
OK.
> But I don't know if we will hit this evaluation failure also on
> core-updates since I merged master:
>
> https://lists.gnu.org/archive/html/guix-devel/2017-06/msg00349.html
Oops indeed. I fixed it in master and merged the fixed. New evaluation
pending.
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-06-19 22:25 bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
` (3 preceding siblings ...)
2017-06-25 9:38 ` bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check Danny Milosavljevic
@ 2017-07-20 15:54 ` Ludovic Courtès
2017-07-20 19:13 ` Leo Famulari
4 siblings, 1 reply; 37+ messages in thread
From: Ludovic Courtès @ 2017-07-20 15:54 UTC (permalink / raw)
To: Leo Famulari; +Cc: 27429
Leo Famulari <leo@famulari.name> skribis:
> This is a place to discuss the "stack crash" bugs as they apply to our
> packages.
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366
> https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
I think we can close this bug now, can’t we?
Ludo’.
^ permalink raw reply [flat|nested] 37+ messages in thread
* bug#27429: Stack clash (CVE-2017-1000366 etc)
2017-07-20 15:54 ` bug#27429: Stack clash (CVE-2017-1000366 etc) Ludovic Courtès
@ 2017-07-20 19:13 ` Leo Famulari
0 siblings, 0 replies; 37+ messages in thread
From: Leo Famulari @ 2017-07-20 19:13 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 27429-done
[-- Attachment #1: Type: text/plain, Size: 573 bytes --]
On Thu, Jul 20, 2017 at 05:54:06PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
>
> > This is a place to discuss the "stack crash" bugs as they apply to our
> > packages.
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366
> > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
>
> I think we can close this bug now, can’t we?
Yeah, I'm closing it.
I think the various mitigations we applied will change and improve over
time, but they can be discussed elsewhere once we know what they are.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 37+ messages in thread
end of thread, other threads:[~2017-07-20 19:14 UTC | newest]
Thread overview: 37+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-06-19 22:25 bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
2017-06-19 23:05 ` Leo Famulari
2017-06-20 0:42 ` Leo Famulari
2017-06-20 0:49 ` Leo Famulari
2017-06-20 7:18 ` Efraim Flashner
2017-06-20 13:16 ` Leo Famulari
2017-06-20 21:44 ` Mark H Weaver
2017-06-21 8:41 ` Efraim Flashner
2017-06-21 9:50 ` Efraim Flashner
2017-06-21 23:52 ` Leo Famulari
2017-06-22 0:03 ` Leo Famulari
2017-06-22 6:44 ` Mark H Weaver
2017-06-22 16:17 ` Leo Famulari
2017-06-22 18:34 ` Leo Famulari
2017-06-22 19:25 ` Leo Famulari
2017-06-29 10:58 ` Ludovic Courtès
2017-06-29 15:49 ` Mark H Weaver
2017-06-29 20:06 ` Ludovic Courtès
2017-06-29 21:03 ` bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)] Leo Famulari
2017-06-29 22:27 ` Ludovic Courtès
2017-06-30 6:47 ` Leo Famulari
2017-06-30 12:59 ` Ludovic Courtès
2017-06-23 17:20 ` bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
2017-06-23 18:36 ` Mark H Weaver
2017-06-23 18:54 ` Leo Famulari
2017-06-23 20:03 ` Mark H Weaver
2017-06-24 7:11 ` Mark H Weaver
2017-06-26 8:41 ` Ludovic Courtès
2017-06-26 11:19 ` Mark H Weaver
2017-06-27 13:57 ` Ludovic Courtès
2017-06-28 21:55 ` Leo Famulari
2017-06-20 3:31 ` Mark H Weaver
2017-06-25 9:38 ` bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check Danny Milosavljevic
2017-06-25 10:41 ` Marius Bakke
2017-06-25 13:19 ` Leo Famulari
2017-07-20 15:54 ` bug#27429: Stack clash (CVE-2017-1000366 etc) Ludovic Courtès
2017-07-20 19:13 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).