diff options
Diffstat (limited to 'source/l/glibc/glibc.CVE-2013-2207.diff')
-rw-r--r-- | source/l/glibc/glibc.CVE-2013-2207.diff | 241 |
1 files changed, 241 insertions, 0 deletions
diff --git a/source/l/glibc/glibc.CVE-2013-2207.diff b/source/l/glibc/glibc.CVE-2013-2207.diff new file mode 100644 index 00000000..c43ccf5c --- /dev/null +++ b/source/l/glibc/glibc.CVE-2013-2207.diff @@ -0,0 +1,241 @@ +From 5d96012d9978efe4bad88a38e2efcbeada9f7585 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@hush.com> +Date: Thu, 22 Aug 2013 +Subject: CVE-2013-2207, BZ #15755: Disable pt_chown. + +Using the setuid installed pt_chown and a weak check on whether a file +descriptor is a tty, an attacker could fake a pty check using FUSE and +trick pt_chown to grant ownership of a pty descriptor that the current +user does not own. It cannot access /dev/pts/ptmx however. + +Pre-conditions for the attack: + + * Attacker with local user account + * Kernel with FUSE support + * "user_allow_other" in /etc/fuse.conf + * Victim with allocated slave in /dev/pts + +In most modern distributions pt_chown is not needed because devpts +is enabled by default. The fix for this CVE is to disable building +and using pt_chown by default. We still provide a configure option +to enable the use of pt_chown but distributions do so at their own +risk. + +--- +This patch was adapted for glibc 2.17 point release from: +http://sourceware.org/git/?p=glibc.git;a=commit;h=e4608715e6e1 +--- + + INSTALL | 12 ++++++++++++ + config.h.in | 3 +++ + config.make.in | 1 + + configure | 15 +++++++++++++++ + configure.in | 10 ++++++++++ + login/Makefile | 8 +++++++- + manual/install.texi | 14 ++++++++++++++ + sysdeps/unix/grantpt.c | 8 +++++--- + sysdeps/unix/sysv/linux/grantpt.c | 5 +++-- + 9 files changed, 70 insertions(+), 6 deletions(-) +--- + +--- a/INSTALL ++++ b/INSTALL +@@ -128,6 +128,18 @@ will be used, and CFLAGS sets optimizati + this can be prevented though there generally is no reason since it + creates compatibility problems. + ++`--enable-pt_chown' ++ The file `pt_chown' is a helper binary for `grantpt' (*note ++ Pseudo-Terminals: Allocation.) that is installed setuid root to ++ fix up pseudo-terminal ownership. It is not built by default ++ because systems using the Linux kernel are commonly built with the ++ `devpts' filesystem enabled and mounted at `/dev/pts', which ++ manages pseudo-terminal ownership automatically. By using ++ `--enable-pt_chown', you may build `pt_chown' and install it ++ setuid and owned by `root'. The use of `pt_chown' introduces ++ additional security risks to the system and you should enable it ++ only if you understand and accept those risks. ++ + `--build=BUILD-SYSTEM' + `--host=HOST-SYSTEM' + These options are for cross-compiling. If you specify both +--- a/config.h.in ++++ b/config.h.in +@@ -232,4 +232,7 @@ + /* The ARM hard-float ABI is being used. */ + #undef HAVE_ARM_PCS_VFP + ++/* The pt_chown binary is being built and used by grantpt. */ ++#undef HAVE_PT_CHOWN ++ + #endif +--- a/config.make.in ++++ b/config.make.in +@@ -101,6 +101,7 @@ force-install = @force_install@ + link-obsolete-rpc = @link_obsolete_rpc@ + build-nscd = @build_nscd@ + use-nscd = @use_nscd@ ++build-pt-chown = @build_pt_chown@ + + # Build tools. + CC = @CC@ +--- a/configure ++++ b/configure +@@ -653,6 +653,7 @@ multi_arch + base_machine + add_on_subdirs + add_ons ++build_pt_chown + build_nscd + link_obsolete_rpc + libc_cv_nss_crypt +@@ -759,6 +760,7 @@ enable_obsolete_rpc + enable_systemtap + enable_build_nscd + enable_nscd ++enable_pt_chown + with_cpu + ' + ac_precious_vars='build_alias +@@ -1419,6 +1421,7 @@ Optional Features: + --enable-systemtap enable systemtap static probe points [default=no] + --disable-build-nscd disable building and installing the nscd daemon + --disable-nscd library functions will not contact the nscd daemon ++ --enable-pt_chown Enable building and installing pt_chown + + Optional Packages: + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] +@@ -3933,6 +3936,18 @@ else + use_nscd=yes + fi + ++# Check whether --enable-pt_chown was given. ++if test "${enable_pt_chown+set}" = set; then : ++ enableval=$enable_pt_chown; build_pt_chown=$enableval ++else ++ build_pt_chown=no ++fi ++ ++ ++if test $build_pt_chown = yes; then ++ $as_echo "#define HAVE_PT_CHOWN 1" >>confdefs.h ++ ++fi + + # The way shlib-versions is used to generate soversions.mk uses a + # fairly simplistic model for name recognition that can't distinguish +--- a/configure.in ++++ b/configure.in +@@ -315,6 +315,16 @@ AC_ARG_ENABLE([nscd], + [use_nscd=$enableval], + [use_nscd=yes]) + ++AC_ARG_ENABLE([pt_chown], ++ [AS_HELP_STRING([--enable-pt_chown], ++ [Enable building and installing pt_chown])], ++ [build_pt_chown=$enableval], ++ [build_pt_chown=no]) ++AC_SUBST(build_pt_chown) ++if test $build_pt_chown = yes; then ++ AC_DEFINE(HAVE_PT_CHOWN) ++fi ++ + # The way shlib-versions is used to generate soversions.mk uses a + # fairly simplistic model for name recognition that can't distinguish + # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os +--- a/login/Makefile ++++ b/login/Makefile +@@ -29,9 +29,15 @@ routines := getutent getutent_r getutid + + CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"' + +-others = utmpdump pt_chown ++others = utmpdump ++ ++include ../Makeconfig ++ ++ifeq (yes,$(build-pt-chown)) ++others += pt_chown + others-pie = pt_chown + install-others-programs = $(inst_libexecdir)/pt_chown ++endif + + subdir-dirs = programs + vpath %.c programs +--- a/manual/install.texi ++++ b/manual/install.texi +@@ -155,6 +155,20 @@ if the used tools support it. By using + prevented though there generally is no reason since it creates + compatibility problems. + ++@pindex pt_chown ++@findex grantpt ++@item --enable-pt_chown ++The file @file{pt_chown} is a helper binary for @code{grantpt} ++(@pxref{Allocation, Pseudo-Terminals}) that is installed setuid root to ++fix up pseudo-terminal ownership. It is not built by default because ++systems using the Linux kernel are commonly built with the @code{devpts} ++filesystem enabled and mounted at @file{/dev/pts}, which manages ++pseudo-terminal ownership automatically. By using ++@samp{--enable-pt_chown}, you may build @file{pt_chown} and install it ++setuid and owned by @code{root}. The use of @file{pt_chown} introduces ++additional security risks to the system and you should enable it only if ++you understand and accept those risks. ++ + @item --build=@var{build-system} + @itemx --host=@var{host-system} + These options are for cross-compiling. If you specify both options and +--- a/sysdeps/unix/grantpt.c ++++ b/sysdeps/unix/grantpt.c +@@ -173,9 +173,10 @@ grantpt (int fd) + retval = 0; + goto cleanup; + +- /* We have to use the helper program. */ ++ /* We have to use the helper program if it is available.. */ + helper:; + ++#ifdef HAVE_PT_CHOWN + pid_t pid = __fork (); + if (pid == -1) + goto cleanup; +@@ -190,9 +191,9 @@ grantpt (int fd) + if (__dup2 (fd, PTY_FILENO) < 0) + _exit (FAIL_EBADF); + +-#ifdef CLOSE_ALL_FDS ++# ifdef CLOSE_ALL_FDS + CLOSE_ALL_FDS (); +-#endif ++# endif + + execle (_PATH_PT_CHOWN, basename (_PATH_PT_CHOWN), NULL, NULL); + _exit (FAIL_EXEC); +@@ -231,6 +232,7 @@ grantpt (int fd) + assert(! "getpt: internal error: invalid exit code from pt_chown"); + } + } ++#endif + + cleanup: + if (buf != _buf) +--- a/sysdeps/unix/sysv/linux/grantpt.c ++++ b/sysdeps/unix/sysv/linux/grantpt.c +@@ -11,7 +11,7 @@ + + #include "pty-private.h" + +- ++#if HAVE_PT_CHOWN + /* Close all file descriptors except the one specified. */ + static void + close_all_fds (void) +@@ -38,6 +38,7 @@ close_all_fds (void) + __dup2 (STDOUT_FILENO, STDERR_FILENO); + } + } +-#define CLOSE_ALL_FDS() close_all_fds() ++# define CLOSE_ALL_FDS() close_all_fds() ++#endif + + #include <sysdeps/unix/grantpt.c> |