> The bug against libgcrypt11 is the same as that against libssl0.9.7 -- the
> library has explicitly requested an executable stack.  I don't think this is
> a coincidence:

Indeed, this is not coincidence. Both libraries have optimized 
versions of some function implemented in assembly. But

.note.GNU-stack,"",@progbits

is missing in the assembly sources. Missing markers means executable
stack, so the entire library gets marked as PT_GNU_STACK RWE.

See also
https://www.redhat.com/archives/fedora-devel-list/2005-March/msg00460.html

> it's pretty likely that both of these libraries *use* the executable stack,

No, these libraries _do not_ need an executable stack (e.g., why calculation
of MD5 hash could ever need it?). As a matter of fact, marking stack as
non-executable 

sudo execstack -c /usr/lib/i686/cmov/libssl.so.0.9.7

did not break anything.

> The last bug, I'm leaving assigned to glibc, since that is the package
> whose behavior change triggered these reports.

AFAIK, the only glibc change that made these bugs explicit is hwcap
support. Here is short demonstration:

(downgrade to glibc-2.3.2.ds1-22)

$ ldd /usr/bin/ssh
        libresolv.so.2 => /lib/libresolv.so.2 (0x27486000)
        libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0x27498000)
        libutil.so.1 => /lib/libutil.so.1 (0x275a0000)
        libz.so.1 => /usr/lib/libz.so.1 (0x275a3000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x275b8000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x275cd000)
        libselinux.so.1 => /lib/libselinux.so.1 (0x275fa000)
        libc.so.6 => /lib/libc.so.6 (0x2760c000)
        libdl.so.2 => /lib/libdl.so.2 (0x2773f000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x27465000)

execstack /usr/lib/libcrypto.so.0.9.7 
- /usr/lib/libcrypto.so.0.9.7

(/usr/lib/libcrypto.so.0.9.7 is "generic" library, it is written in
plain C, so, compiler marks the stack as non-executable).

However, optimized library have incorrect PT_GNU_STACK marking:

$ execstack /usr/lib/i686/cmov/libcrypto.so.0.9.7 
X /usr/lib/i686/cmov/libcrypto.so.0.9.7

Now, let's turn on soft mode (just in a case)

$ sudo /bin/sh -c "echo 1 > /proc/sys/kernel/exec-shield"

(turn off exec-shield, except for binaries that explicitly enable it,
e.g. have PT_GNU_STACK RW-)

and install glibc-2.3.5-3.

$ ldd /usr/bin/ssh
        libresolv.so.2 => /lib/libresolv.so.2 (0x2343f000)
        libcrypto.so.0.9.7 => /usr/lib/i686/cmov/libcrypto.so.0.9.7 (0x23451000)
        libutil.so.1 => /lib/libutil.so.1 (0x23553000)
        libz.so.1 => /usr/lib/libz.so.1 (0x23557000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x2356b000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x2357f000)
        libselinux.so.1 => /lib/libselinux.so.1 (0x235ae000)
        libc.so.6 => /lib/libc.so.6 (0x235c0000)
        libdl.so.2 => /lib/libdl.so.2 (0x236da000)
        /lib/ld-linux.so.2 (0x2341e000)

Now, the linker tries to use optimized library, but this library wants 
stack to be executable (for no good reason), so the bug (missing
proper PT_GNU_STACK marker) becomes user-visible.

> In any case, none of these bugs are of severity higher than important.

If PaX or exec-shield (with sys.kernel.exec-shield = 3, e.g. exec-shield
is always enabled) kernel is used, the system will be badly broken.
Or even worse (if soft mode used, which is default with exec-shield):
protection silently switched off for important binaries (e.g.,
ssh|sshd). So, I think 

1) this is _at least_ serious bug,
2) it should have `security' tag.

> There is no policy that Debian supports grsec kernels

This bug can break systems using exec-shield kernels too.
Moreover, there is no policy to deliberately break grsec either.


Best regards,
  Alexei.

Attachment: signature.asc
Description: Digital signature

Reply via email to