[Slackware 14.1rc2]: glibc security review

mancha · 10-26-2013, 08:40 PM

Hi Pat.

Initially I was a bit hesitant to post the results from my glibc code audit given the nearing release date of 14.1. However,
the security fixes are substantial enough that I feel it important to make them available to you for your consideration.

I've patched glibc 2.17 on 32 and 64 bit archs. Test suites complete successfully, I've run extensive strcoll faithfulness tests,
and the systems run smoothly. In sum, I am confident in my recommendation that you apply my backport fixes for the following
five vulnerabilities in this order (only 1, 2, and 3 are order-specific):

Requisite: glibc-2.17_strcoll-change.diff (sig)
Needed for the CVE-2012-4412 & CVE-2012-4424 backports.
CVE-2012-4424: glibc-2.17_CVE-2012-4424.diff (sig)
CVE-2012-4412: glibc-2.17_CVE-2012-4412.diff (sig)
CVE-2013-4237: glibc-2.17_CVE-2013-4237.diff (sig)
CVE-2013-4788: glibc-2.17_CVE-2013-4788.diff (sig)
CVE-2013-4458: glibc-2.17_CVE-2013-4458.diff (sig)

Also, I make two proofs-of-concept available so you can compare pre- and post- patch behavior for CVE-2012-4412 and
CVE-2012-4424. Post-patch, if the programs run 5+ minutes w/o an overflow, it's a success.

--mancha

PS FYI, GnuTLS 3.1.15 was released to address CVE-2013-4466 (GNUTLS-SA-2013-3). Versions prior to 3.1.3 aren't vulnerable.

andrewthomas · 10-27-2013, 12:09 AM

For the latest

Quote:

CVE-2013-4788 hardening issue
CVE-2013-4237 may only affect powerpc in practice
CVE-2013-4458 Adding a large number of IPv6 entries for a host in /etc/hosts and then querying it results in a segmentat
https://sourceware.org/bugzilla/show_bug.cgi?id=16071 Priority:Low

Siddhesh Poyarekar 2013-10-25 05:00:24 UTC
Fixed in master:

commit 7cbcdb3699584db8913ca90f705d6337633ee10f
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Fri Oct 25 10:22:12 2013 +0530

Looking it over, not seeing much to be concerned about here.

mancha · 10-27-2013, 12:23 PM

Quote:

Originally Posted by andrewthomas

Looking it over, not seeing much to be concerned about here.

I don't think you need to stock up on canned tuna and move to Montana just yet. That said, when the costs of correction are small, I can't
think of an intelligent reason to choose more vulnerable over less.

These glibc vulerabilities vary in risk severity (don't they all?) but since I was investing time to do the audit in the first place I preferred to be
comprehensive and take care of all outstanding CVEs (including lesser threats).

Let me explain them a bit because your one-liners are misleading.

CVE-2013-4788: Pointer encryption (or mangling) was implemented in glibc at the end of 2005 yet never properly initialized pointer guards
during static compiles making the calculation of target addresses trivial for an attacker. The fix doesn't introduce a new hardening feature;
it corrects a broken feature many have relied on for the past 8 years.
CVE-2013-4237: Your comment about powerpc architectures seems to have come from here and you'll have to ask Jamie what he meant.
However, all that's required to trigger this on Linux is for an attacker to craft an fs response in excess of NAME_MAX (eg malicious CIFS
network message).
CVE-2013-4458 Your description is incomplete. The vulnerability exists in the getaddrinfo code-path and can be triggered by an attacker
that either has access to the hosts file or controls a DNS zone. For example, here getaddrinfo performs an IPv6 DNS lookup of
ipv6.test-ipv6.com:

Code:

/* Copyright 0x7dd by mancha */

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

int main(void)
{
  struct addrinfo *result;
  struct sockaddr_in6 addr;
  char ip[46];

  if (getaddrinfo("ipv6.test-ipv6.com", NULL, NULL, &result)) { exit(1); }
  addr.sin6_addr = ((struct sockaddr_in6 *)result->ai_addr)->sin6_addr;
  inet_ntop(result->ai_family, &(addr.sin6_addr), ip, sizeof ip);
  printf("ip: %s\n", ip);
}

--mancha