eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

Debian Bug report logs - #600667
eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

Date: Mon, 18 Oct 2010 18:58:45 -0400

package: eglibc
version: 2.11.2-6
severity: grave
tag: patch

an issue has been disclosed in eglibc.  see:
http://seclists.org/fulldisclosure/2010/Oct/257

patch available:
http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html

best wishes,
mike

Message #18 received at 600667@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurelien@aurel32.net>

To: Michael Gilbert <michael.s.gilbert@gmail.com>, 600667@bugs.debian.org

Subject: Re: Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

Date: Thu, 21 Oct 2010 19:36:04 +0200

On Mon, Oct 18, 2010 at 06:58:45PM -0400, Michael Gilbert wrote:
> package: eglibc
> version: 2.11.2-6
> severity: grave
> tag: patch
> 
> an issue has been disclosed in eglibc.  see:
> http://seclists.org/fulldisclosure/2010/Oct/257
> 
> patch available:
> http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html
> 

I have just committed the fix, I am planning to do an upload soon to
unstable. Do you think we should also fix it in stable? via a security
release?

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net

Message #23 received at 600667@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: 600667@bugs.debian.org

Subject: Re: Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

Date: Thu, 21 Oct 2010 15:43:59 -0400

On Thu, 21 Oct 2010 19:36:04 +0200, Aurelien Jarno wrote:
> On Mon, Oct 18, 2010 at 06:58:45PM -0400, Michael Gilbert wrote:
> > package: eglibc
> > version: 2.11.2-6
> > severity: grave
> > tag: patch
> > 
> > an issue has been disclosed in eglibc.  see:
> > http://seclists.org/fulldisclosure/2010/Oct/257
> > 
> > patch available:
> > http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html
> > 
> 
> I have just committed the fix, I am planning to do an upload soon to
> unstable. Do you think we should also fix it in stable? via a security
> release?

the exploitability of this issue is questionable, but i think it should
be fixed in a DSA just to be safe (based on the precautionary
principle).

thanks for working on the fix.

mike

Message #28 received at 600667@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Aurelien Jarno <aurelien@aurel32.net>

Cc: 600667@bugs.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>

Subject: Re: Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

Date: Fri, 22 Oct 2010 09:38:33 +0200

* Aurelien Jarno:

> I have just committed the fix, I am planning to do an upload soon to
> unstable. Do you think we should also fix it in stable? via a security
> release?

FYI, I have uploaded eglibc 2.11.2-6+squeeze1 to testing-security.

Message #33 received at 600667@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurelien@aurel32.net>

To: Michael Gilbert <michael.s.gilbert@gmail.com>, 600667@bugs.debian.org

Subject: Re: Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

Date: Fri, 22 Oct 2010 10:04:27 +0200

On Thu, Oct 21, 2010 at 03:43:59PM -0400, Michael Gilbert wrote:
> On Thu, 21 Oct 2010 19:36:04 +0200, Aurelien Jarno wrote:
> > On Mon, Oct 18, 2010 at 06:58:45PM -0400, Michael Gilbert wrote:
> > > package: eglibc
> > > version: 2.11.2-6
> > > severity: grave
> > > tag: patch
> > > 
> > > an issue has been disclosed in eglibc.  see:
> > > http://seclists.org/fulldisclosure/2010/Oct/257
> > > 
> > > patch available:
> > > http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html
> > > 
> > 
> > I have just committed the fix, I am planning to do an upload soon to
> > unstable. Do you think we should also fix it in stable? via a security
> > release?
> 
> the exploitability of this issue is questionable, but i think it should
> be fixed in a DSA just to be safe (based on the precautionary
> principle).
> 
> thanks for working on the fix.
> 

Ok, then I'll work on a stable upload after doing the unstable upload.
Unfortunately I don't have a lot of time to spend on Debian currently.

Also note that given the glibc is not built with -DNDEBUG on Debian, 
it seems it is not vulnerable. At least an assert is triggered when
trying the exploit instead of becoming root.

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net

Message #38 received at 600667-close@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurel32@debian.org>

To: 600667-close@bugs.debian.org

Subject: Bug#600667: fixed in eglibc 2.11.2-7

Date: Sun, 31 Oct 2010 08:33:09 +0000

Source: eglibc
Source-Version: 2.11.2-7

We believe that the bug you reported is fixed in the latest version of
eglibc, which is due to be installed in the Debian FTP archive:

eglibc-source_2.11.2-7_all.deb
  to main/e/eglibc/eglibc-source_2.11.2-7_all.deb
eglibc_2.11.2-7.diff.gz
  to main/e/eglibc/eglibc_2.11.2-7.diff.gz
eglibc_2.11.2-7.dsc
  to main/e/eglibc/eglibc_2.11.2-7.dsc
glibc-doc_2.11.2-7_all.deb
  to main/e/eglibc/glibc-doc_2.11.2-7_all.deb
libc-bin_2.11.2-7_amd64.deb
  to main/e/eglibc/libc-bin_2.11.2-7_amd64.deb
libc-dev-bin_2.11.2-7_amd64.deb
  to main/e/eglibc/libc-dev-bin_2.11.2-7_amd64.deb
libc6-dbg_2.11.2-7_amd64.deb
  to main/e/eglibc/libc6-dbg_2.11.2-7_amd64.deb
libc6-dev-i386_2.11.2-7_amd64.deb
  to main/e/eglibc/libc6-dev-i386_2.11.2-7_amd64.deb
libc6-dev_2.11.2-7_amd64.deb
  to main/e/eglibc/libc6-dev_2.11.2-7_amd64.deb
libc6-i386_2.11.2-7_amd64.deb
  to main/e/eglibc/libc6-i386_2.11.2-7_amd64.deb
libc6-pic_2.11.2-7_amd64.deb
  to main/e/eglibc/libc6-pic_2.11.2-7_amd64.deb
libc6-prof_2.11.2-7_amd64.deb
  to main/e/eglibc/libc6-prof_2.11.2-7_amd64.deb
libc6-udeb_2.11.2-7_amd64.udeb
  to main/e/eglibc/libc6-udeb_2.11.2-7_amd64.udeb
libc6_2.11.2-7_amd64.deb
  to main/e/eglibc/libc6_2.11.2-7_amd64.deb
libnss-dns-udeb_2.11.2-7_amd64.udeb
  to main/e/eglibc/libnss-dns-udeb_2.11.2-7_amd64.udeb
libnss-files-udeb_2.11.2-7_amd64.udeb
  to main/e/eglibc/libnss-files-udeb_2.11.2-7_amd64.udeb
locales-all_2.11.2-7_amd64.deb
  to main/e/eglibc/locales-all_2.11.2-7_amd64.deb
locales_2.11.2-7_all.deb
  to main/e/eglibc/locales_2.11.2-7_all.deb
nscd_2.11.2-7_amd64.deb
  to main/e/eglibc/nscd_2.11.2-7_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 600667@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated eglibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 30 Oct 2010 18:15:54 +0200
Source: eglibc
Binary: libc-bin libc-dev-bin glibc-doc eglibc-source locales locales-all nscd libc6 libc6-dev libc6-dbg libc6-prof libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-prof libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-prof libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-prof libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc64 libc6-dev-sparc64 libc6-s390x libc6-dev-s390x libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-sparcv9b libc6-i686 libc6-xen libc0.1-i686 libc0.3-i686 libc0.3-xen libc6.1-alphaev67 libnss-dns-udeb libnss-files-udeb
Architecture: source all amd64
Version: 2.11.2-7
Distribution: unstable
Urgency: low
Maintainer: Aurelien Jarno <aurel32@debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description: 
 eglibc-source - Embedded GNU C Library: sources
 glibc-doc  - Embedded GNU C Library: Documentation
 libc-bin   - Embedded GNU C Library: Binaries
 libc-dev-bin - Embedded GNU C Library: Development binaries
 libc0.1    - Embedded GNU C Library: Shared libraries
 libc0.1-dbg - Embedded GNU C Library: detached debugging symbols
 libc0.1-dev - Embedded GNU C Library: Development Libraries and Header Files
 libc0.1-dev-i386 - Embedded GNU C Library: 32bit development libraries for AMD64
 libc0.1-i386 - Embedded GNU C Library: 32bit shared libraries for AMD64
 libc0.1-i686 - Embedded GNU C Library: Shared libraries [i686 optimized]
 libc0.1-pic - Embedded GNU C Library: PIC archive library
 libc0.1-prof - Embedded GNU C Library: Profiling Libraries
 libc0.1-udeb - Embedded GNU C Library: Shared libraries - udeb (udeb)
 libc0.3    - Embedded GNU C Library: Shared libraries
 libc0.3-dbg - Embedded GNU C Library: detached debugging symbols
 libc0.3-dev - Embedded GNU C Library: Development Libraries and Header Files
 libc0.3-i686 - Embedded GNU C Library: Shared libraries [i686 optimized]
 libc0.3-pic - Embedded GNU C Library: PIC archive library
 libc0.3-prof - Embedded GNU C Library: Profiling Libraries
 libc0.3-udeb - Embedded GNU C Library: Shared libraries - udeb (udeb)
 libc0.3-xen - Embedded GNU C Library: Shared libraries [Xen version]
 libc6      - Embedded GNU C Library: Shared libraries
 libc6-amd64 - Embedded GNU C Library: 64bit Shared libraries for AMD64
 libc6-dbg  - Embedded GNU C Library: detached debugging symbols
 libc6-dev  - Embedded GNU C Library: Development Libraries and Header Files
 libc6-dev-amd64 - Embedded GNU C Library: 64bit Development Libraries for AMD64
 libc6-dev-i386 - Embedded GNU C Library: 32-bit development libraries for AMD64
 libc6-dev-mips64 - Embedded GNU C Library: 64bit Development Libraries for MIPS64
 libc6-dev-mipsn32 - Embedded GNU C Library: n32 Development Libraries for MIPS64
 libc6-dev-powerpc - Embedded GNU C Library: 32bit powerpc development libraries for p
 libc6-dev-ppc64 - Embedded GNU C Library: 64bit Development Libraries for PowerPC64
 libc6-dev-s390x - Embedded GNU C Library: 64bit Development Libraries for IBM zSeri
 libc6-dev-sparc64 - Embedded GNU C Library: 64bit Development Libraries for UltraSPAR
 libc6-i386 - Embedded GNU C Library: 32-bit shared libraries for AMD64
 libc6-i686 - Embedded GNU C Library: Shared libraries [i686 optimized]
 libc6-mips64 - Embedded GNU C Library: 64bit Shared libraries for MIPS64
 libc6-mipsn32 - Embedded GNU C Library: n32 Shared libraries for MIPS64
 libc6-pic  - Embedded GNU C Library: PIC archive library
 libc6-powerpc - Embedded GNU C Library: 32bit powerpc shared libraries for ppc64
 libc6-ppc64 - Embedded GNU C Library: 64bit Shared libraries for PowerPC64
 libc6-prof - Embedded GNU C Library: Profiling Libraries
 libc6-s390x - Embedded GNU C Library: 64bit Shared libraries for IBM zSeries
 libc6-sparc64 - Embedded GNU C Library: 64bit Shared libraries for UltraSPARC
 libc6-sparcv9b - Embedded GNU C Library: Shared libraries [v9b optimized]
 libc6-udeb - Embedded GNU C Library: Shared libraries - udeb (udeb)
 libc6-xen  - Embedded GNU C Library: Shared libraries [Xen version]
 libc6.1    - Embedded GNU C Library: Shared libraries
 libc6.1-alphaev67 - Embedded GNU C Library: Shared libraries (EV67 optimized)
 libc6.1-dbg - Embedded GNU C Library: detached debugging symbols
 libc6.1-dev - Embedded GNU C Library: Development Libraries and Header Files
 libc6.1-pic - Embedded GNU C Library: PIC archive library
 libc6.1-prof - Embedded GNU C Library: Profiling Libraries
 libc6.1-udeb - Embedded GNU C Library: Shared libraries - udeb (udeb)
 libnss-dns-udeb - Embedded GNU C Library: NSS helper for DNS - udeb (udeb)
 libnss-files-udeb - Embedded GNU C Library: NSS helper for files - udeb (udeb)
 locales    - Embedded GNU C Library: National Language (locale) data [support]
 locales-all - Embedded GNU C Library: Precompiled locale data
 nscd       - Embedded GNU C Library: Name Service Cache Daemon
Closes: 595403 597348 600667 601085 601531
Changes: 
 eglibc (2.11.2-7) unstable; urgency=low
 .
   [ Samuel Thibault ]
   * patches/hurd-i386/cvs-sendmsg-leak.diff: New upstream patch from Emilio
     Pozuelo Monfort to fix a memory leak on the error path of sendmsg.
   * patches/hurd-i386/local-sendmsg-SCM_RIGHTS.diff: New patch from Emilio
     Pozuelo Monfort to implement SCM_RIGHTS in sendmsg().
 .
   [ Aurelien Jarno ]
   * Update Portuguese debconf translation, by Pedro Ribeiro.  Closes: #597348.
   * Add any/submitted-origin.diff from Andreas Schwab to forbid the use
     of $ORIGIN in privileged programs. Add any/cvs-audit-suid.diff to
     only load SUID audit objects in SUID binaries. Fix CVE-2010-3847.
     Closes: #600667.
   * Update Catalan debconf translation, by Jordi Mallach. Closes: #601085.
   * Update Vietnamese debconf translation, by Clytie Siddall.  Closes:
     #601531.
   * Add arm/local-sigaction.diff to match sigaction with SA_RESTORER
     behaviour with other architectures.  Closes: #595403.
Checksums-Sha1: 
 303879f9c33ef57d3ba46807d4a279f889b6411f 2726 eglibc_2.11.2-7.dsc
 b4b62aa526b59ee45613687ae281c59836ec3370 873608 eglibc_2.11.2-7.diff.gz
 a414f243fef75ad3796e13732430497013c5c128 1842858 glibc-doc_2.11.2-7_all.deb
 c1f16a2c5aa3c1997527f5bf9fb6d296946b1063 11058816 eglibc-source_2.11.2-7_all.deb
 e0cf98774b8252635a4bc2c81f406266f6b6c766 4756338 locales_2.11.2-7_all.deb
 6d6c0060ece3cc40f36ab7f6204e9657aec53804 4272984 libc6_2.11.2-7_amd64.deb
 78e99d403b09e244182653906a02192928049422 2587120 libc6-dev_2.11.2-7_amd64.deb
 9004d0fc939f6843860abaa74af0875f18425c72 2033008 libc6-prof_2.11.2-7_amd64.deb
 54fbb05d74ec8a183eb7306d93ca5bb7494a31c9 1546904 libc6-pic_2.11.2-7_amd64.deb
 094bf86c64ced310a0e7543e7876f4c8c2b6a2d2 745900 libc-bin_2.11.2-7_amd64.deb
 a5d58d8976b4e92a30f8423ca9e3dd0a52a4135a 206934 libc-dev-bin_2.11.2-7_amd64.deb
 6c15c82ecf0db999bf6df621d4c1dd75b921a0ff 3796496 locales-all_2.11.2-7_amd64.deb
 447d11f14b44d021b884fb5eac222ef3d3971b37 3804508 libc6-i386_2.11.2-7_amd64.deb
 0423cf4cb514c42f27e16f33ac3a6f12df575fa1 1523928 libc6-dev-i386_2.11.2-7_amd64.deb
 7f23cf63cb609263734d87731237f649b6843cad 196486 nscd_2.11.2-7_amd64.deb
 d1e704567a6e6fd398b1f202ad7d5f513e17c227 10424226 libc6-dbg_2.11.2-7_amd64.deb
 61b65b053a21603c6bc133e9f6357c3802773799 1150618 libc6-udeb_2.11.2-7_amd64.udeb
 62f960ad55468de70409e45de073976fd019b9d1 11128 libnss-dns-udeb_2.11.2-7_amd64.udeb
 9d3d761f4f4fe116c473e45e286425b89e48f8ae 19686 libnss-files-udeb_2.11.2-7_amd64.udeb
Checksums-Sha256: 
 26729d9e433df5f388ecc3e0e63ee01c1f3215039f44cdb2a23cf1b74b7f04dc 2726 eglibc_2.11.2-7.dsc
 64bfadee2b2a3ff31e095f5d41635620440d0fd330c113312a9ffe580b58d586 873608 eglibc_2.11.2-7.diff.gz
 1b15cbd1196d80445c4ff58bf8e4b73e818fbc2c5bb4bf05bbfc95bd18b4132f 1842858 glibc-doc_2.11.2-7_all.deb
 7957bd3ac5853a5db9e07701622db17f646e7bc7593e3a70245879c762bb3383 11058816 eglibc-source_2.11.2-7_all.deb
 ef58922c9716cf65d1e1b5da6af983621513f574eb41bfed374860d20a9f1eb9 4756338 locales_2.11.2-7_all.deb
 640288d260c63a65640abae52d0644c266c79e0a72205a0a4d88a05052df1813 4272984 libc6_2.11.2-7_amd64.deb
 ba9d4eb8da65b15982f37f06ecbce5ffea5f191e52b5d6d1757292cc3fa1d97f 2587120 libc6-dev_2.11.2-7_amd64.deb
 e80753933dadd2cc527a120a94514d952d3d52090bde179ec80c78d81f785529 2033008 libc6-prof_2.11.2-7_amd64.deb
 f3d191cb64a5a4fa3653efc0250e3e9ea1245bb63c8a8efa0017c7f3a69b2eb1 1546904 libc6-pic_2.11.2-7_amd64.deb
 a64d645230fb2dfd3431f3617b0abec386da3d36787e78f39aef75668b58f382 745900 libc-bin_2.11.2-7_amd64.deb
 6af2909fc780bca6df6f82e9379699b85ff53a6bbfb516c3801369db7824c22b 206934 libc-dev-bin_2.11.2-7_amd64.deb
 d5bfc86ae1517703b95d3ef0ca07a3fb358dee160b821263f320434144842349 3796496 locales-all_2.11.2-7_amd64.deb
 49c979894277a3721454ff6b8edb8e124e37a9a75a39cb75065823d0d248d9f4 3804508 libc6-i386_2.11.2-7_amd64.deb
 14948135ccf6f4357e5db99a40d960a2cbfdd8ae745095b6e0a1c8a6cd72fe99 1523928 libc6-dev-i386_2.11.2-7_amd64.deb
 f097fb91d879ad911ea108e7709e141ea9c93abdeda534b747c195ef90e884a5 196486 nscd_2.11.2-7_amd64.deb
 378f2a5bc9c48933fe61d0dc45b00bfe4bc8a5be4a53a2ef16c782967dd5f1a6 10424226 libc6-dbg_2.11.2-7_amd64.deb
 6b8fbc3aab64423a3441e342ce2f312a6a27b65e4e838709c0698406d558ac36 1150618 libc6-udeb_2.11.2-7_amd64.udeb
 d1e1da3cee502eee60d0046196572bc73c014f7997eb28b54ec34d6fb300f9d7 11128 libnss-dns-udeb_2.11.2-7_amd64.udeb
 0178a2a84ad6ab6b06a6a084b084d92d62dbeb13050ad5fe0b27ec3e6888dade 19686 libnss-files-udeb_2.11.2-7_amd64.udeb
Files: 
 1bab8928eaefaae9322e2f3e4f367cfb 2726 libs required eglibc_2.11.2-7.dsc
 abcd1589b80a431169e0c0dc7ed9cbf5 873608 libs required eglibc_2.11.2-7.diff.gz
 92a10ac5360f5f465a31af1b9cdcf695 1842858 doc optional glibc-doc_2.11.2-7_all.deb
 b96594e6724488480d293b4c8553ad28 11058816 devel optional eglibc-source_2.11.2-7_all.deb
 b317aff6c80697358b374857097b6a2f 4756338 localization standard locales_2.11.2-7_all.deb
 408bd6a7e67cd59d1c3f03f6f399f653 4272984 libs required libc6_2.11.2-7_amd64.deb
 a90fe01576b1853d7bd1d97f22bb4a2d 2587120 libdevel optional libc6-dev_2.11.2-7_amd64.deb
 3244f20810aebc299918fce5ace2a912 2033008 libdevel extra libc6-prof_2.11.2-7_amd64.deb
 fe6c8f2b91004239312b63ab0dec8871 1546904 libdevel optional libc6-pic_2.11.2-7_amd64.deb
 9d54f17649e96ba42a83ae9cef0625b8 745900 libs required libc-bin_2.11.2-7_amd64.deb
 0560f0ae4c1eba87fb23a1271f72162b 206934 libdevel optional libc-dev-bin_2.11.2-7_amd64.deb
 3a801d2a272f685b9d897bf9c14fcc25 3796496 localization extra locales-all_2.11.2-7_amd64.deb
 d7a05c45de95b7892b384bbe9a1d3af6 3804508 libs optional libc6-i386_2.11.2-7_amd64.deb
 ed265945546b5a57326868fc32df8595 1523928 libdevel optional libc6-dev-i386_2.11.2-7_amd64.deb
 89db60ac654f36a0455bd2ea1926418d 196486 admin optional nscd_2.11.2-7_amd64.deb
 06abc2cae8f827836e85238e9bd5f02f 10424226 debug extra libc6-dbg_2.11.2-7_amd64.deb
 1fb61feda4613f20e7074fbf0bf34887 1150618 debian-installer extra libc6-udeb_2.11.2-7_amd64.udeb
 1f9d1e80438291c70e568e17fe9b1d23 11128 debian-installer extra libnss-dns-udeb_2.11.2-7_amd64.udeb
 1b9fbf15e42b668b6fcff970fbc66e7d 19686 debian-installer extra libnss-files-udeb_2.11.2-7_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFMzSTmw3ao2vG823MRAi71AJ4p2V5p7QcG4zAtOJ/6HaY+lZ9ZZACfREAW
P3DMThYJ1AWjcxwPYJvpL6o=
=JVBa
-----END PGP SIGNATURE-----

Message #51 received at 600667@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: control@bugs.debian.org, 600667@bugs.debian.org

Subject: Fw: re: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

Date: Tue, 1 Feb 2011 21:19:53 -0500

reopen 600667
thanks

Maybe I'm reading things wrong, or maybe Mitre's information is
actually incorrect, but it looks like the fixes claimed for
CVE-2010-3847 in 2.11.2-8 actually address CVE-2010-3856 [0] instead.
It looks like CVE-2010-3847 [1] is still unfixed.  The original fix in
-7 may have been correct to begin with?

Best wishes,
Mike

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3856
http://sourceware.org/ml/libc-hacker/2010-10/msg00010.html
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3847
http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html

Message #60 received at 600667@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Michael Gilbert <michael.s.gilbert@gmail.com>, 600667@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#600667: Fw: re: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

Date: Wed, 2 Feb 2011 14:47:07 +0100

[Message part 1 (text/plain, inline)]

user release.debian.org@packages.debian.org
usertag 600667 squeeze-can-defer
tag 600667 squeeze-ignore
kthxbye

On Tue, Feb  1, 2011 at 21:19:53 -0500, Michael Gilbert wrote:

> reopen 600667
> thanks
> 
> Maybe I'm reading things wrong, or maybe Mitre's information is
> actually incorrect, but it looks like the fixes claimed for
> CVE-2010-3847 in 2.11.2-8 actually address CVE-2010-3856 [0] instead.
> It looks like CVE-2010-3847 [1] is still unfixed.  The original fix in
> -7 may have been correct to begin with?
> 
Not a release blocker.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Message #67 received at 600667@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: 600667@bugs.debian.org

Subject: Re: Bug#600667: Fw: re: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

Date: Sat, 5 Feb 2011 14:20:14 -0500

Note that a new CVE id (CVE-2011-0536) has been assigned for a
vulnerability introduced by the patches for cve-2010-3847 [0].  It
sounds like this affects the recent DSAs. Please take a look at the
code and figure out what needs to be done to resolve these three
issues: CVE-2010-3847, CVE-2010-3856, CVE-2011-0536.

Thanks,
Mike

[0] http://www.openwall.com/lists/oss-security/2011/02/03/2

Message #72 received at 600667@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurelien@aurel32.net>

To: Michael Gilbert <michael.s.gilbert@gmail.com>, 600667@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#600667: Fw: re: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

Date: Mon, 7 Feb 2011 01:17:54 +0100

On Tue, Feb 01, 2011 at 09:19:53PM -0500, Michael Gilbert wrote:
> reopen 600667
> thanks
> 
> Maybe I'm reading things wrong, or maybe Mitre's information is
> actually incorrect, but it looks like the fixes claimed for
> CVE-2010-3847 in 2.11.2-8 actually address CVE-2010-3856 [0] instead.
> It looks like CVE-2010-3847 [1] is still unfixed.  The original fix in
> -7 may have been correct to begin with?
> 

We have removed the fix in -7 because:
- it has been removed in the new upload to lenny
- it never went upstream.

It has been replaced by this commit instead:
http://sourceware.org/ml/libc-hacker/2010-12/msg00001.html

So I don't think there is any security issue left with the current 
patch set.

-- 
Aurelien Jarno                          GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net

Message #77 received at 600667@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurelien@aurel32.net>

To: Michael Gilbert <michael.s.gilbert@gmail.com>, 600667@bugs.debian.org

Subject: Re: Bug#600667: Fw: re: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

Date: Mon, 7 Feb 2011 01:19:39 +0100

On Sat, Feb 05, 2011 at 02:20:14PM -0500, Michael Gilbert wrote:
> Note that a new CVE id (CVE-2011-0536) has been assigned for a
> vulnerability introduced by the patches for cve-2010-3847 [0].  It
> sounds like this affects the recent DSAs. Please take a look at the
> code and figure out what needs to be done to resolve these three
> issues: CVE-2010-3847, CVE-2010-3856, CVE-2011-0536.
> 

I think CVE-2011-0536 corresponds to the Debian and Ubuntu bug, which
didn't apply the correct patchset on the first security fix.

-- 
Aurelien Jarno                          GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net

Message #82 received at 600667-done@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurelien@aurel32.net>

To: Michael Gilbert <michael.s.gilbert@gmail.com>, 600667-done@bugs.debian.org

Subject: Re: Bug#600667: Fw: re: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

Date: Sat, 26 Feb 2011 11:30:41 +0100

On Mon, Feb 07, 2011 at 01:17:54AM +0100, Aurelien Jarno wrote:
> On Tue, Feb 01, 2011 at 09:19:53PM -0500, Michael Gilbert wrote:
> > reopen 600667
> > thanks
> > 
> > Maybe I'm reading things wrong, or maybe Mitre's information is
> > actually incorrect, but it looks like the fixes claimed for
> > CVE-2010-3847 in 2.11.2-8 actually address CVE-2010-3856 [0] instead.
> > It looks like CVE-2010-3847 [1] is still unfixed.  The original fix in
> > -7 may have been correct to begin with?
> > 
> 
> We have removed the fix in -7 because:
> - it has been removed in the new upload to lenny
> - it never went upstream.
> 
> It has been replaced by this commit instead:
> http://sourceware.org/ml/libc-hacker/2010-12/msg00001.html
> 
> So I don't think there is any security issue left with the current 
> patch set.
> 

Given I have got no answer, I guess everybody agrees the bug is really
fixed. Closing it.

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net

Send a report that this bug log contains spam.