GNU bug report logs - #27429
Stack clash (CVE-2017-1000366 etc)

Previous Next

Full log

View this message in rfc822 format

From: Efraim Flashner <efraim <at> flashner.co.il>
To: Leo Famulari <leo <at> famulari.name>
Cc: 27429 <at> debbugs.gnu.org
Subject: bug#27429: Stack clash (CVE-2017-1000366 etc)
Date: Tue, 20 Jun 2017 10:18:57 +0300

[Message part 1 (text/plain, inline)]

On Mon, Jun 19, 2017 at 08:49:20PM -0400, Leo Famulari wrote:
> On the glibc bugs (CVE-2016-1000366), civodul said:
> 
> [21:02:26]	<civodul>	lfam: i *think* GuixSD is immune to the LD_LIBRARY_PATH one, FWIW
> [...]
> [21:02:43]	<civodul>	lfam: because of the way is_trusted_path works in glibc
> 
> https://gnunet.org/bot/log/guix/2017-06-19#T1422600
> 
> Relevant upstream commits:
> 
> CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 programs [BZ #21624]
> https://sourceware.org/git/?p=glibc.git;a=commit;h=f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d
> 
> ld.so: Reject overly long LD_PRELOAD path elements
> https://sourceware.org/git/?p=glibc.git;a=commit;h=6d0ba622891bed9d8394eef1935add53003b12e8
> 
> ld.so: Reject overly long LD_AUDIT path elements:
> https://sourceware.org/git/?p=glibc.git;a=commit;h=81b82fb966ffbd94353f793ad17116c6088dedd9

I don't know if this is true or not, but I have a patch here locally
that seems to work against the CVE. I haven't downloaded the other
patches and added them, but with all the '(replacement #f)''s in place
it should just work to add them in to the glibc packages we have.

I'll wait and see before pushing the patch.


-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[0001-gnu-glibc-Patch-CVE-2017-1000366.patch (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.