LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 10-26-2013, 08:40 PM   #1
mancha
Member
 
Registered: Aug 2012
Posts: 484

Rep: Reputation: Disabled
[Slackware 14.1rc2]: glibc security review


Hi Pat.

Initially I was a bit hesitant to post the results from my glibc code audit given the nearing release date of 14.1. However,
the security fixes are substantial enough that I feel it important to make them available to you for your consideration.

I've patched glibc 2.17 on 32 and 64 bit archs. Test suites complete successfully, I've run extensive strcoll faithfulness tests,
and the systems run smoothly. In sum, I am confident in my recommendation that you apply my backport fixes for the following
five vulnerabilities in this order (only 1, 2, and 3 are order-specific):

  1. Requisite: glibc-2.17_strcoll-change.diff (sig)
    Needed for the CVE-2012-4412 & CVE-2012-4424 backports.

  2. CVE-2012-4424: glibc-2.17_CVE-2012-4424.diff (sig)

  3. CVE-2012-4412: glibc-2.17_CVE-2012-4412.diff (sig)

  4. CVE-2013-4237: glibc-2.17_CVE-2013-4237.diff (sig)

  5. CVE-2013-4788: glibc-2.17_CVE-2013-4788.diff (sig)

  6. CVE-2013-4458: glibc-2.17_CVE-2013-4458.diff (sig)

Also, I make two proofs-of-concept available so you can compare pre- and post- patch behavior for CVE-2012-4412 and
CVE-2012-4424. Post-patch, if the programs run 5+ minutes w/o an overflow, it's a success.

--mancha

PS FYI, GnuTLS 3.1.15 was released to address CVE-2013-4466 (GNUTLS-SA-2013-3). Versions prior to 3.1.3 aren't vulnerable.
 
Old 10-27-2013, 12:09 AM   #2
andrewthomas
Senior Member
 
Registered: May 2010
Location: Chicago Metro
Distribution: Arch, Gentoo, Slackware
Posts: 1,690

Rep: Reputation: 311Reputation: 311Reputation: 311Reputation: 311
For the latest

Quote:
CVE-2013-4788 hardening issue
CVE-2013-4237 may only affect powerpc in practice
CVE-2013-4458 Adding a large number of IPv6 entries for a host in /etc/hosts and then querying it results in a segmentat
https://sourceware.org/bugzilla/show_bug.cgi?id=16071 Priority:Low

Siddhesh Poyarekar 2013-10-25 05:00:24 UTC
Fixed in master:

commit 7cbcdb3699584db8913ca90f705d6337633ee10f
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Fri Oct 25 10:22:12 2013 +0530
Looking it over, not seeing much to be concerned about here.

Last edited by andrewthomas; 10-27-2013 at 12:10 AM. Reason: fixed link
 
Old 10-27-2013, 12:23 PM   #3
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by andrewthomas View Post
Looking it over, not seeing much to be concerned about here.
I don't think you need to stock up on canned tuna and move to Montana just yet. That said, when the costs of correction are small, I can't
think of an intelligent reason to choose more vulnerable over less.

These glibc vulerabilities vary in risk severity (don't they all?) but since I was investing time to do the audit in the first place I preferred to be
comprehensive and take care of all outstanding CVEs (including lesser threats).

Let me explain them a bit because your one-liners are misleading.
  • CVE-2013-4788: Pointer encryption (or mangling) was implemented in glibc at the end of 2005 yet never properly initialized pointer guards
    during static compiles making the calculation of target addresses trivial for an attacker. The fix doesn't introduce a new hardening feature;
    it corrects a broken feature many have relied on for the past 8 years.

  • CVE-2013-4237: Your comment about powerpc architectures seems to have come from here and you'll have to ask Jamie what he meant.
    However, all that's required to trigger this on Linux is for an attacker to craft an fs response in excess of NAME_MAX (eg malicious CIFS
    network message).

  • CVE-2013-4458 Your description is incomplete. The vulnerability exists in the getaddrinfo code-path and can be triggered by an attacker
    that either has access to the hosts file or controls a DNS zone. For example, here getaddrinfo performs an IPv6 DNS lookup of
    ipv6.test-ipv6.com:
Code:
/* Copyright 0x7dd by mancha */

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

int main(void)
{
  struct addrinfo *result;
  struct sockaddr_in6 addr;
  char ip[46];

  if (getaddrinfo("ipv6.test-ipv6.com", NULL, NULL, &result)) { exit(1); }
  addr.sin6_addr = ((struct sockaddr_in6 *)result->ai_addr)->sin6_addr;
  inet_ntop(result->ai_family, &(addr.sin6_addr), ip, sizeof ip);
  printf("ip: %s\n", ip);
}
--mancha
 
1 members found this post helpful.
  


Reply

Tags
glibc, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
vectorlinux 5.8- fluxbox 1rc2- roxfiler change mouse pointers mandraker64 Linux - General 0 12-08-2006 04:46 PM
Is this a real security update? glibc? No post on slackware's site tho Old_Fogie Slackware 5 08-24-2006 08:23 AM
Linux security review mdk Linux - Security 4 08-26-2004 10:28 PM
How do I install and integrate Openoffice 1.1rc2 onto my Redhat Linux 9 desktop? garymansell Linux - Software 6 08-08-2003 09:10 AM
Mandrake 9.1RC2 and Flash Card Reader Grayhane Linux - Hardware 4 03-14-2003 07:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 01:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration