summaryrefslogtreecommitdiff
path: root/source/l/glibc/glibc.CVE-2013-2207.diff
diff options
context:
space:
mode:
Diffstat (limited to 'source/l/glibc/glibc.CVE-2013-2207.diff')
-rw-r--r--source/l/glibc/glibc.CVE-2013-2207.diff241
1 files changed, 241 insertions, 0 deletions
diff --git a/source/l/glibc/glibc.CVE-2013-2207.diff b/source/l/glibc/glibc.CVE-2013-2207.diff
new file mode 100644
index 00000000..c43ccf5c
--- /dev/null
+++ b/source/l/glibc/glibc.CVE-2013-2207.diff
@@ -0,0 +1,241 @@
+From 5d96012d9978efe4bad88a38e2efcbeada9f7585 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@hush.com>
+Date: Thu, 22 Aug 2013
+Subject: CVE-2013-2207, BZ #15755: Disable pt_chown.
+
+Using the setuid installed pt_chown and a weak check on whether a file
+descriptor is a tty, an attacker could fake a pty check using FUSE and
+trick pt_chown to grant ownership of a pty descriptor that the current
+user does not own. It cannot access /dev/pts/ptmx however.
+
+Pre-conditions for the attack:
+
+ * Attacker with local user account
+ * Kernel with FUSE support
+ * "user_allow_other" in /etc/fuse.conf
+ * Victim with allocated slave in /dev/pts
+
+In most modern distributions pt_chown is not needed because devpts
+is enabled by default. The fix for this CVE is to disable building
+and using pt_chown by default. We still provide a configure option
+to enable the use of pt_chown but distributions do so at their own
+risk.
+
+---
+This patch was adapted for glibc 2.17 point release from:
+http://sourceware.org/git/?p=glibc.git;a=commit;h=e4608715e6e1
+---
+
+ INSTALL | 12 ++++++++++++
+ config.h.in | 3 +++
+ config.make.in | 1 +
+ configure | 15 +++++++++++++++
+ configure.in | 10 ++++++++++
+ login/Makefile | 8 +++++++-
+ manual/install.texi | 14 ++++++++++++++
+ sysdeps/unix/grantpt.c | 8 +++++---
+ sysdeps/unix/sysv/linux/grantpt.c | 5 +++--
+ 9 files changed, 70 insertions(+), 6 deletions(-)
+---
+
+--- a/INSTALL
++++ b/INSTALL
+@@ -128,6 +128,18 @@ will be used, and CFLAGS sets optimizati
+ this can be prevented though there generally is no reason since it
+ creates compatibility problems.
+
++`--enable-pt_chown'
++ The file `pt_chown' is a helper binary for `grantpt' (*note
++ Pseudo-Terminals: Allocation.) that is installed setuid root to
++ fix up pseudo-terminal ownership. It is not built by default
++ because systems using the Linux kernel are commonly built with the
++ `devpts' filesystem enabled and mounted at `/dev/pts', which
++ manages pseudo-terminal ownership automatically. By using
++ `--enable-pt_chown', you may build `pt_chown' and install it
++ setuid and owned by `root'. The use of `pt_chown' introduces
++ additional security risks to the system and you should enable it
++ only if you understand and accept those risks.
++
+ `--build=BUILD-SYSTEM'
+ `--host=HOST-SYSTEM'
+ These options are for cross-compiling. If you specify both
+--- a/config.h.in
++++ b/config.h.in
+@@ -232,4 +232,7 @@
+ /* The ARM hard-float ABI is being used. */
+ #undef HAVE_ARM_PCS_VFP
+
++/* The pt_chown binary is being built and used by grantpt. */
++#undef HAVE_PT_CHOWN
++
+ #endif
+--- a/config.make.in
++++ b/config.make.in
+@@ -101,6 +101,7 @@ force-install = @force_install@
+ link-obsolete-rpc = @link_obsolete_rpc@
+ build-nscd = @build_nscd@
+ use-nscd = @use_nscd@
++build-pt-chown = @build_pt_chown@
+
+ # Build tools.
+ CC = @CC@
+--- a/configure
++++ b/configure
+@@ -653,6 +653,7 @@ multi_arch
+ base_machine
+ add_on_subdirs
+ add_ons
++build_pt_chown
+ build_nscd
+ link_obsolete_rpc
+ libc_cv_nss_crypt
+@@ -759,6 +760,7 @@ enable_obsolete_rpc
+ enable_systemtap
+ enable_build_nscd
+ enable_nscd
++enable_pt_chown
+ with_cpu
+ '
+ ac_precious_vars='build_alias
+@@ -1419,6 +1421,7 @@ Optional Features:
+ --enable-systemtap enable systemtap static probe points [default=no]
+ --disable-build-nscd disable building and installing the nscd daemon
+ --disable-nscd library functions will not contact the nscd daemon
++ --enable-pt_chown Enable building and installing pt_chown
+
+ Optional Packages:
+ --with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
+@@ -3933,6 +3936,18 @@ else
+ use_nscd=yes
+ fi
+
++# Check whether --enable-pt_chown was given.
++if test "${enable_pt_chown+set}" = set; then :
++ enableval=$enable_pt_chown; build_pt_chown=$enableval
++else
++ build_pt_chown=no
++fi
++
++
++if test $build_pt_chown = yes; then
++ $as_echo "#define HAVE_PT_CHOWN 1" >>confdefs.h
++
++fi
+
+ # The way shlib-versions is used to generate soversions.mk uses a
+ # fairly simplistic model for name recognition that can't distinguish
+--- a/configure.in
++++ b/configure.in
+@@ -315,6 +315,16 @@ AC_ARG_ENABLE([nscd],
+ [use_nscd=$enableval],
+ [use_nscd=yes])
+
++AC_ARG_ENABLE([pt_chown],
++ [AS_HELP_STRING([--enable-pt_chown],
++ [Enable building and installing pt_chown])],
++ [build_pt_chown=$enableval],
++ [build_pt_chown=no])
++AC_SUBST(build_pt_chown)
++if test $build_pt_chown = yes; then
++ AC_DEFINE(HAVE_PT_CHOWN)
++fi
++
+ # The way shlib-versions is used to generate soversions.mk uses a
+ # fairly simplistic model for name recognition that can't distinguish
+ # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os
+--- a/login/Makefile
++++ b/login/Makefile
+@@ -29,9 +29,15 @@ routines := getutent getutent_r getutid
+
+ CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"'
+
+-others = utmpdump pt_chown
++others = utmpdump
++
++include ../Makeconfig
++
++ifeq (yes,$(build-pt-chown))
++others += pt_chown
+ others-pie = pt_chown
+ install-others-programs = $(inst_libexecdir)/pt_chown
++endif
+
+ subdir-dirs = programs
+ vpath %.c programs
+--- a/manual/install.texi
++++ b/manual/install.texi
+@@ -155,6 +155,20 @@ if the used tools support it. By using
+ prevented though there generally is no reason since it creates
+ compatibility problems.
+
++@pindex pt_chown
++@findex grantpt
++@item --enable-pt_chown
++The file @file{pt_chown} is a helper binary for @code{grantpt}
++(@pxref{Allocation, Pseudo-Terminals}) that is installed setuid root to
++fix up pseudo-terminal ownership. It is not built by default because
++systems using the Linux kernel are commonly built with the @code{devpts}
++filesystem enabled and mounted at @file{/dev/pts}, which manages
++pseudo-terminal ownership automatically. By using
++@samp{--enable-pt_chown}, you may build @file{pt_chown} and install it
++setuid and owned by @code{root}. The use of @file{pt_chown} introduces
++additional security risks to the system and you should enable it only if
++you understand and accept those risks.
++
+ @item --build=@var{build-system}
+ @itemx --host=@var{host-system}
+ These options are for cross-compiling. If you specify both options and
+--- a/sysdeps/unix/grantpt.c
++++ b/sysdeps/unix/grantpt.c
+@@ -173,9 +173,10 @@ grantpt (int fd)
+ retval = 0;
+ goto cleanup;
+
+- /* We have to use the helper program. */
++ /* We have to use the helper program if it is available.. */
+ helper:;
+
++#ifdef HAVE_PT_CHOWN
+ pid_t pid = __fork ();
+ if (pid == -1)
+ goto cleanup;
+@@ -190,9 +191,9 @@ grantpt (int fd)
+ if (__dup2 (fd, PTY_FILENO) < 0)
+ _exit (FAIL_EBADF);
+
+-#ifdef CLOSE_ALL_FDS
++# ifdef CLOSE_ALL_FDS
+ CLOSE_ALL_FDS ();
+-#endif
++# endif
+
+ execle (_PATH_PT_CHOWN, basename (_PATH_PT_CHOWN), NULL, NULL);
+ _exit (FAIL_EXEC);
+@@ -231,6 +232,7 @@ grantpt (int fd)
+ assert(! "getpt: internal error: invalid exit code from pt_chown");
+ }
+ }
++#endif
+
+ cleanup:
+ if (buf != _buf)
+--- a/sysdeps/unix/sysv/linux/grantpt.c
++++ b/sysdeps/unix/sysv/linux/grantpt.c
+@@ -11,7 +11,7 @@
+
+ #include "pty-private.h"
+
+-
++#if HAVE_PT_CHOWN
+ /* Close all file descriptors except the one specified. */
+ static void
+ close_all_fds (void)
+@@ -38,6 +38,7 @@ close_all_fds (void)
+ __dup2 (STDOUT_FILENO, STDERR_FILENO);
+ }
+ }
+-#define CLOSE_ALL_FDS() close_all_fds()
++# define CLOSE_ALL_FDS() close_all_fds()
++#endif
+
+ #include <sysdeps/unix/grantpt.c>