diff options
Diffstat (limited to 'source/l/glibc/glibc.CVE-2013-2207.diff')
| -rw-r--r-- | source/l/glibc/glibc.CVE-2013-2207.diff | 241 |
1 files changed, 0 insertions, 241 deletions
diff --git a/source/l/glibc/glibc.CVE-2013-2207.diff b/source/l/glibc/glibc.CVE-2013-2207.diff deleted file mode 100644 index c43ccf5c..00000000 --- a/source/l/glibc/glibc.CVE-2013-2207.diff +++ /dev/null @@ -1,241 +0,0 @@ -From 5d96012d9978efe4bad88a38e2efcbeada9f7585 Mon Sep 17 00:00:00 2001 -From: mancha <mancha1@hush.com> -Date: Thu, 22 Aug 2013 -Subject: CVE-2013-2207, BZ #15755: Disable pt_chown. - -Using the setuid installed pt_chown and a weak check on whether a file -descriptor is a tty, an attacker could fake a pty check using FUSE and -trick pt_chown to grant ownership of a pty descriptor that the current -user does not own. It cannot access /dev/pts/ptmx however. - -Pre-conditions for the attack: - - * Attacker with local user account - * Kernel with FUSE support - * "user_allow_other" in /etc/fuse.conf - * Victim with allocated slave in /dev/pts - -In most modern distributions pt_chown is not needed because devpts -is enabled by default. The fix for this CVE is to disable building -and using pt_chown by default. We still provide a configure option -to enable the use of pt_chown but distributions do so at their own -risk. - ---- -This patch was adapted for glibc 2.17 point release from: -http://sourceware.org/git/?p=glibc.git;a=commit;h=e4608715e6e1 ---- - - INSTALL | 12 ++++++++++++ - config.h.in | 3 +++ - config.make.in | 1 + - configure | 15 +++++++++++++++ - configure.in | 10 ++++++++++ - login/Makefile | 8 +++++++- - manual/install.texi | 14 ++++++++++++++ - sysdeps/unix/grantpt.c | 8 +++++--- - sysdeps/unix/sysv/linux/grantpt.c | 5 +++-- - 9 files changed, 70 insertions(+), 6 deletions(-) ---- - ---- a/INSTALL -+++ b/INSTALL -@@ -128,6 +128,18 @@ will be used, and CFLAGS sets optimizati - this can be prevented though there generally is no reason since it - creates compatibility problems. - -+`--enable-pt_chown' -+ The file `pt_chown' is a helper binary for `grantpt' (*note -+ Pseudo-Terminals: Allocation.) that is installed setuid root to -+ fix up pseudo-terminal ownership. It is not built by default -+ because systems using the Linux kernel are commonly built with the -+ `devpts' filesystem enabled and mounted at `/dev/pts', which -+ manages pseudo-terminal ownership automatically. By using -+ `--enable-pt_chown', you may build `pt_chown' and install it -+ setuid and owned by `root'. The use of `pt_chown' introduces -+ additional security risks to the system and you should enable it -+ only if you understand and accept those risks. -+ - `--build=BUILD-SYSTEM' - `--host=HOST-SYSTEM' - These options are for cross-compiling. If you specify both ---- a/config.h.in -+++ b/config.h.in -@@ -232,4 +232,7 @@ - /* The ARM hard-float ABI is being used. */ - #undef HAVE_ARM_PCS_VFP - -+/* The pt_chown binary is being built and used by grantpt. */ -+#undef HAVE_PT_CHOWN -+ - #endif ---- a/config.make.in -+++ b/config.make.in -@@ -101,6 +101,7 @@ force-install = @force_install@ - link-obsolete-rpc = @link_obsolete_rpc@ - build-nscd = @build_nscd@ - use-nscd = @use_nscd@ -+build-pt-chown = @build_pt_chown@ - - # Build tools. - CC = @CC@ ---- a/configure -+++ b/configure -@@ -653,6 +653,7 @@ multi_arch - base_machine - add_on_subdirs - add_ons -+build_pt_chown - build_nscd - link_obsolete_rpc - libc_cv_nss_crypt -@@ -759,6 +760,7 @@ enable_obsolete_rpc - enable_systemtap - enable_build_nscd - enable_nscd -+enable_pt_chown - with_cpu - ' - ac_precious_vars='build_alias -@@ -1419,6 +1421,7 @@ Optional Features: - --enable-systemtap enable systemtap static probe points [default=no] - --disable-build-nscd disable building and installing the nscd daemon - --disable-nscd library functions will not contact the nscd daemon -+ --enable-pt_chown Enable building and installing pt_chown - - Optional Packages: - --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] -@@ -3933,6 +3936,18 @@ else - use_nscd=yes - fi - -+# Check whether --enable-pt_chown was given. -+if test "${enable_pt_chown+set}" = set; then : -+ enableval=$enable_pt_chown; build_pt_chown=$enableval -+else -+ build_pt_chown=no -+fi -+ -+ -+if test $build_pt_chown = yes; then -+ $as_echo "#define HAVE_PT_CHOWN 1" >>confdefs.h -+ -+fi - - # The way shlib-versions is used to generate soversions.mk uses a - # fairly simplistic model for name recognition that can't distinguish ---- a/configure.in -+++ b/configure.in -@@ -315,6 +315,16 @@ AC_ARG_ENABLE([nscd], - [use_nscd=$enableval], - [use_nscd=yes]) - -+AC_ARG_ENABLE([pt_chown], -+ [AS_HELP_STRING([--enable-pt_chown], -+ [Enable building and installing pt_chown])], -+ [build_pt_chown=$enableval], -+ [build_pt_chown=no]) -+AC_SUBST(build_pt_chown) -+if test $build_pt_chown = yes; then -+ AC_DEFINE(HAVE_PT_CHOWN) -+fi -+ - # The way shlib-versions is used to generate soversions.mk uses a - # fairly simplistic model for name recognition that can't distinguish - # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os ---- a/login/Makefile -+++ b/login/Makefile -@@ -29,9 +29,15 @@ routines := getutent getutent_r getutid - - CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"' - --others = utmpdump pt_chown -+others = utmpdump -+ -+include ../Makeconfig -+ -+ifeq (yes,$(build-pt-chown)) -+others += pt_chown - others-pie = pt_chown - install-others-programs = $(inst_libexecdir)/pt_chown -+endif - - subdir-dirs = programs - vpath %.c programs ---- a/manual/install.texi -+++ b/manual/install.texi -@@ -155,6 +155,20 @@ if the used tools support it. By using - prevented though there generally is no reason since it creates - compatibility problems. - -+@pindex pt_chown -+@findex grantpt -+@item --enable-pt_chown -+The file @file{pt_chown} is a helper binary for @code{grantpt} -+(@pxref{Allocation, Pseudo-Terminals}) that is installed setuid root to -+fix up pseudo-terminal ownership. It is not built by default because -+systems using the Linux kernel are commonly built with the @code{devpts} -+filesystem enabled and mounted at @file{/dev/pts}, which manages -+pseudo-terminal ownership automatically. By using -+@samp{--enable-pt_chown}, you may build @file{pt_chown} and install it -+setuid and owned by @code{root}. The use of @file{pt_chown} introduces -+additional security risks to the system and you should enable it only if -+you understand and accept those risks. -+ - @item --build=@var{build-system} - @itemx --host=@var{host-system} - These options are for cross-compiling. If you specify both options and ---- a/sysdeps/unix/grantpt.c -+++ b/sysdeps/unix/grantpt.c -@@ -173,9 +173,10 @@ grantpt (int fd) - retval = 0; - goto cleanup; - -- /* We have to use the helper program. */ -+ /* We have to use the helper program if it is available.. */ - helper:; - -+#ifdef HAVE_PT_CHOWN - pid_t pid = __fork (); - if (pid == -1) - goto cleanup; -@@ -190,9 +191,9 @@ grantpt (int fd) - if (__dup2 (fd, PTY_FILENO) < 0) - _exit (FAIL_EBADF); - --#ifdef CLOSE_ALL_FDS -+# ifdef CLOSE_ALL_FDS - CLOSE_ALL_FDS (); --#endif -+# endif - - execle (_PATH_PT_CHOWN, basename (_PATH_PT_CHOWN), NULL, NULL); - _exit (FAIL_EXEC); -@@ -231,6 +232,7 @@ grantpt (int fd) - assert(! "getpt: internal error: invalid exit code from pt_chown"); - } - } -+#endif - - cleanup: - if (buf != _buf) ---- a/sysdeps/unix/sysv/linux/grantpt.c -+++ b/sysdeps/unix/sysv/linux/grantpt.c -@@ -11,7 +11,7 @@ - - #include "pty-private.h" - -- -+#if HAVE_PT_CHOWN - /* Close all file descriptors except the one specified. */ - static void - close_all_fds (void) -@@ -38,6 +38,7 @@ close_all_fds (void) - __dup2 (STDOUT_FILENO, STDERR_FILENO); - } - } --#define CLOSE_ALL_FDS() close_all_fds() -+# define CLOSE_ALL_FDS() close_all_fds() -+#endif - - #include <sysdeps/unix/grantpt.c> |