LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 05-07-2013, 02:30 PM   #1
mancha
Member
 
Registered: Aug 2012
Posts: 279

Rep: Reputation: Disabled
[Slackware-current] glibc 2.17, shadow, and other penumbrae


Pat (and Michael Semon): good job catching the login issue with glibc 2.17.

I've patched shadow 4.1.5.1 to properly handle NULL crypt() returns under
glibc 2.17+ and submitted it to upstream here.

However, I also wanted to share it with the Slackware community. So, here it is,
hot off the press. Patch applies against latest stable shadow 4.1.5.1.

Pat, your patch prevents the nonexistent user log-in issue Michael found but causes
undesired behavior in other callers. On a FIPS-140 system I tested with either
DES or MD5 ENCRYPT_METHOD, setting a new password will not fail as it should but
returns with apparent success having set password: "!!$6$8IIcy/1EPOk/$..."

You asked about other user-land potentially affected by the new crypt() behavior.
Below is a partial list I've put together that should help you as you work towards
the next release:
  • sudo (fixed in 1.8.6p8)
  • apache httpd (fixed in 2.2.23)
  • screen (fixed in cbaa666d4f) [I recommend updating screen to something more recent]
  • ppp (fixed in 04c4348108)
There are others I've not yet checked like: yptools, popa3d, etc. I will post things
as I discover them.

Cheers.

--mancha
 
Old 05-07-2013, 06:42 PM   #2
GazL
Senior Member
 
Registered: May 2008
Posts: 3,312

Rep: Reputation: Disabled
Thanks, mancha. Trying it out here now.
 
Old 05-19-2013, 02:16 PM   #3
mancha
Member
 
Registered: Aug 2012
Posts: 279

Original Poster
Rep: Reputation: Disabled
Update 5/19/13

  • popa3d: Fixed by upstream for next stable release (v1.0.3)
    recommendation: given their long release cycle, apply my backport of
    their patch to latest stable 1.0.2 (see attached)

  • tcsh: Upstream has accepted my patch;
    recommendation: apply my patch against 6.18.01 (see attached)

  • yp-tools suite:

    1. ypserv: fixed in 2.28;
      recommendation: upgrade to at least version 2.28 but preferably ypserv 2.31

    2. yp-tools: not yet fixed; I've sent upstream a patch against latest stable;
      recommendation: upgrade to yp-tools 2.14 and apply my patch (see attached)

    3. ypbind-mt: unaffected;
      recommendation: upgrade to ypbind-mt 1.37.1

--mancha
Attached Files
File Type: txt popa3d-1.0.2-crypt.diff.txt (1.6 KB, 4 views)
File Type: txt tcsh-6.18.01-crypt.diff.txt (332 Bytes, 3 views)

Last edited by mancha; 10-11-2013 at 04:32 AM.
 
1 members found this post helpful.
Old 05-22-2013, 03:40 AM   #4
mancha
Member
 
Registered: Aug 2012
Posts: 279

Original Poster
Rep: Reputation: Disabled
Update 5/22/13

A small bug slipped into the yp-tools patch. The result is an unnecessary call to crypt().

Please update with corrected patch.

Cheers.

--mancha
Attached Files
File Type: txt yp-tools-2.14-crypt-1.diff.txt (2.2 KB, 9 views)
 
1 members found this post helpful.
Old 05-22-2013, 08:43 AM   #5
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 853

Rep: Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658
Quote:
Originally Posted by mancha+ View Post
Update 5/22/13

A small bug slipped into the yp-tools patch. The result is an unnecessary call to crypt().

Please update with corrected patch.
You had my attention when you used the word bug, but I have a different idea of what that word actually means. Both versions of the patch look to me like they work the same. The second version would be more efficient since it doesn't call crypt twice, but in practice there's probably no way you'd ever be able to notice (or benchmark) a difference.

To me, if you couldn't invent a unit test that shows the first patch has a problem fixed by the second patch, then there is no bug.
 
1 members found this post helpful.
Old 06-11-2013, 12:02 PM   #6
mancha
Member
 
Registered: Aug 2012
Posts: 279

Original Poster
Rep: Reputation: Disabled
Update 6/11/2013

  • xdm: upstream committed my fix
    recommendation: apply my patch to xdm 1.1.11

  • cvs: my fix is here
    recommendation: apply my patch to CVS 1.11.23

  • dropbear: upstream has fixed;
    recommendation: apply upstream's patch to dropbear (note: might have to upgrade slackware's 2008 dropbear)

--mancha
 
1 members found this post helpful.
Old 06-29-2013, 04:56 PM   #7
mancha
Member
 
Registered: Aug 2012
Posts: 279

Original Poster
Rep: Reputation: Disabled
Update 6/29/13

  • KDE/kdm: KDE accepted my fix (to be included in KDE Workspace 4.11).
    recommendation: Upgrade to KDE Workspace 4.10.5 and apply changeset patch.

  • KDE/kcheckpass: KDE accepted my fix (to be included in KDE Workspace 4.11).
    recommendation: Same as above; fix included in above changeset.

  • gdm: Not a stock Slackware package but generously maintained by Robby Workman on SBo.
    recommendation: gdm users on -current should sync with SBo which now includes my fix.

--mancha

Last edited by mancha; 07-02-2013 at 07:10 PM. Reason: Update KDE version numbers
 
1 members found this post helpful.
Old 07-02-2013, 08:59 AM   #8
mancha
Member
 
Registered: Aug 2012
Posts: 279

Original Poster
Rep: Reputation: Disabled
Update 7/2/13

Note: The backport commit with my fixes for KDE/kdm & KDE/kcheckpass missed the tag/release
deadline for 4.10.5 by 1 or 2 days. I edited the recommendations in post #7 above.
 
1 members found this post helpful.
Old 07-03-2013, 02:33 PM   #9
mancha
Member
 
Registered: Aug 2012
Posts: 279

Original Poster
Rep: Reputation: Disabled
Update 7/3/13

Others have expressed interest in the work I have been documenting here but don't always have access to LQ download links.

So, I have uploaded all patches referenced so far to a sourceforge project. From here on in, I will provide upstream links to
patches (if possible) and mirror on sourceforge rather than upload to LQ directly.

Digest file will be signed with the following key:

Code:
PGP Key ID: 0xB5ABF4FFF7048E92
Key fingerprint = 7F1F E9BF 77CF 15AC 8F6B  C934 B5AB F4FF F704 8E92
--mancha
 
1 members found this post helpful.
Old 07-10-2013, 05:13 PM   #10
mancha
Member
 
Registered: Aug 2012
Posts: 279

Original Poster
Rep: Reputation: Disabled
Update 7/10/13

  • SLiM: Not a stock Slackware package but offered by SBo. Upstream has accepted my fix, SBo is aware, and will probably include the patch in the near future.
    recommendation: SLiM users on Slackware-current should re-build SLiM 1.3.5 with my patch.

  • Openswan: Upstream has committed my fix.
    recommendation: IPsec/Openswan users on Slackware-current should re-build Openswan 2.6.39 with my patch.

--mancha
 
1 members found this post helpful.
Old 07-12-2013, 09:47 AM   #11
mancha
Member
 
Registered: Aug 2012
Posts: 279

Original Poster
Rep: Reputation: Disabled
Update 7/12/2013

For Slackware's 20th, I give it and the community a bit more of my code...
  • cyrus-sasl: Upstream has committed my fix to their master branch.
    recommendation: re-build cyrus-sasl 2.1.23 with my backported patch. Alternatively, if you want to upgrade to cyrus-2.1.26 apply
    this backported patch. Note, if you go with 2.1.26, you should probably apply this upstream commit missed in that release.
    [CVE-2013-4122]

--mancha

Last edited by mancha; 07-13-2013 at 07:36 AM.
 
1 members found this post helpful.
Old 07-15-2013, 02:14 AM   #12
mancha
Member
 
Registered: Aug 2012
Posts: 279

Original Poster
Rep: Reputation: Disabled
Update 7/15/13

  • xlockmore: Upstream has accepted my fix and included it in the just-released xlockmore 5.43.
    recommendation: upgrade to xlockmore 5.43.
    [CVE-2013-4143]

--mancha

Last edited by mancha; 07-18-2013 at 04:54 AM.
 
1 members found this post helpful.
Old 07-24-2013, 03:53 PM   #13
mancha
Member
 
Registered: Aug 2012
Posts: 279

Original Poster
Rep: Reputation: Disabled
Update 7/24/13


This concludes phase 1 of my audit of userland affected by glibc crypt changes. A considerable amount
of code was reviewed and fixes developed. CVE identifiers were requested for the more serious security
vulnerabilities.

While not exhaustive, I believe I've covered all stock Slackware packages affected so Slackware 14.1
should be good to go on that front. I've also looked into a few SBo offerings.

During phase 2 I will not actively search for vulnerable program suites but will continue to use this
thread to alert the community about any additional problems and/or fixes I come across or author during
my normal usage.


--mancha
 
4 members found this post helpful.
Old 07-24-2013, 04:52 PM   #14
GazL
Senior Member
 
Registered: May 2008
Posts: 3,312

Rep: Reputation: Disabled
Thanks for your efforts mancha.
 
1 members found this post helpful.
Old 07-24-2013, 05:05 PM   #15
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 853

Rep: Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658
Thanks mancha, your help was greatly appreciated!
 
2 members found this post helpful.
  


Reply

Tags
crypt, glibc, security, shadow, vulnerability


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] -current glibc 2.15 trouble ngc891 Slackware 8 03-31-2012 03:12 PM
[SOLVED] Script to build always a current ISO image of Slackware (slackware-current) robertjinx Slackware 2 12-09-2010 02:00 AM
Request: New shadow in current jong357 Slackware 3 12-10-2008 03:51 PM
upgrading glibc in current Drone4four Slackware 28 06-10-2007 01:34 AM
Problems with glibc on Slackware current? MS3FGX Slackware 2 03-30-2006 09:57 PM


All times are GMT -5. The time now is 11:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration