Hi Arne, The first thing to point out is that Debian was never vulnerable to CVE-2010-3847 because of an assertion in dl_open_worker(). (Distros vulnerable to it had disabled those asserts.)
On Thu, Apr 07, 2011 at 07:13:25PM +0200, Arne Wichmann wrote: > Ok, I had a look at the issue, and a far as I can see > debian/patches/any/cvs-ignore-origin-privileged.diff (which is applied) > does fix the problems. Correct, though it is usually combined with patches/any/cvs-dont-expand-dst-twice.diff which is from upstream commit: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=22cd1c9bcf57c5829d65b6da825f7a459d40c9eb which was originally proposed as http://sourceware.org/ml/libc-hacker/2010-10/msg00008.html along with http://sourceware.org/ml/libc-hacker/2010-12/msg00001.html *which has not been taken upstream* but was applied to Fedora's glibc tree. This is the above patch (cvs-ignore-origin-privileged.diff), which is why it's still being carried. Note that cvs-ignore-origin-privileged.diff was (incorrectly?) removed in 2.13-0exp3. But since Debian was never vulnerable to CVE-2010-3847 in the first place, this may not be a problem. > I can not claim to have understood the topic in its entirety, though and I > am by no means an expert in *libc. As such I do not understand the > patches/any/cvs-dont-expand-dst-twice.diff and > debian/patches/any/cvs-audit-suid.diff, though they seem to address the > problems described in CVE-2010-3856. debian/patches/any/cvs-audit-suid.diff is from the accepted upstream fix for CVE-2010-3856: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=8e9f92e9d5d7737afdacf79b76d98c4c42980508 Note that Ubuntu carries an additional proactive patch for CVE-2010-3856: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/maverick/eglibc/maverick-security/view/head:/debian/patches/any/disable-ld_audit.diff > So, somebody else might still have a look at that. CVE-2010-3847 is a real mess, especially since I *think* upstream hasn't entirely fixed it. -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110411175255.gs4...@outflux.net
