public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug dynamic-link/18928] New: LD_POINTER_GUARD is not ignored for privileged binaries
@ 2015-09-06 23:00 ppluzhnikov at google dot com
2015-10-08 8:45 ` [Bug dynamic-link/18928] " fweimer at redhat dot com
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: ppluzhnikov at google dot com @ 2015-09-06 23:00 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18928
Bug ID: 18928
Summary: LD_POINTER_GUARD is not ignored for privileged
binaries
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: dynamic-link
Assignee: unassigned at sourceware dot org
Reporter: ppluzhnikov at google dot com
Target Milestone: ---
>From https://sourceware.org/ml/libc-alpha/2015-09/msg00164.html
---
The issue is that the LD_POINTER_GUARD in the
environment is not sanitized allowing local attackers easily to bypass
the pointer guarding protection on set-user-ID and set-group-ID
programs.
Details of the weakness:
http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html
---
CVE request: http://www.openwall.com/lists/oss-security/2015/09/05/8
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug dynamic-link/18928] LD_POINTER_GUARD is not ignored for privileged binaries
2015-09-06 23:00 [Bug dynamic-link/18928] New: LD_POINTER_GUARD is not ignored for privileged binaries ppluzhnikov at google dot com
@ 2015-10-08 8:45 ` fweimer at redhat dot com
2015-10-13 14:00 ` fweimer at redhat dot com
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: fweimer at redhat dot com @ 2015-10-08 8:45 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18928
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|unassigned at sourceware dot org |fweimer at redhat dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug dynamic-link/18928] LD_POINTER_GUARD is not ignored for privileged binaries
2015-09-06 23:00 [Bug dynamic-link/18928] New: LD_POINTER_GUARD is not ignored for privileged binaries ppluzhnikov at google dot com
2015-10-08 8:45 ` [Bug dynamic-link/18928] " fweimer at redhat dot com
@ 2015-10-13 14:00 ` fweimer at redhat dot com
2015-10-15 7:49 ` cvs-commit at gcc dot gnu.org
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: fweimer at redhat dot com @ 2015-10-13 14:00 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18928
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Patch posted to remove LD_POINTER_GUARD completely:
https://sourceware.org/ml/libc-alpha/2015-10/msg00390.html
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug dynamic-link/18928] LD_POINTER_GUARD is not ignored for privileged binaries
2015-09-06 23:00 [Bug dynamic-link/18928] New: LD_POINTER_GUARD is not ignored for privileged binaries ppluzhnikov at google dot com
2015-10-08 8:45 ` [Bug dynamic-link/18928] " fweimer at redhat dot com
2015-10-13 14:00 ` fweimer at redhat dot com
@ 2015-10-15 7:49 ` cvs-commit at gcc dot gnu.org
2015-10-15 7:50 ` fweimer at redhat dot com
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-10-15 7:49 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18928
--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via a014cecd82b71b70a6a843e250e06b541ad524f7 (commit)
from 0c25f5b5bb48a9d550b5fb403b9a801ba04c146f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a014cecd82b71b70a6a843e250e06b541ad524f7
commit a014cecd82b71b70a6a843e250e06b541ad524f7
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Oct 15 09:23:07 2015 +0200
Always enable pointer guard [BZ #18928]
Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
has security implications. This commit enables pointer guard
unconditionally, and the environment variable is now ignored.
[BZ #18928]
* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
_dl_pointer_guard member.
* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
initializer.
(security_init): Always set up pointer guard.
(process_envvars): Do not process LD_POINTER_GUARD.
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 10 ++++++++++
NEWS | 13 ++++++++-----
elf/rtld.c | 15 ++++-----------
sysdeps/generic/ldsodefs.h | 3 ---
4 files changed, 22 insertions(+), 19 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug dynamic-link/18928] LD_POINTER_GUARD is not ignored for privileged binaries
2015-09-06 23:00 [Bug dynamic-link/18928] New: LD_POINTER_GUARD is not ignored for privileged binaries ppluzhnikov at google dot com
` (2 preceding siblings ...)
2015-10-15 7:49 ` cvs-commit at gcc dot gnu.org
@ 2015-10-15 7:50 ` fweimer at redhat dot com
2015-10-17 4:54 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: fweimer at redhat dot com @ 2015-10-15 7:50 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18928
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
Fixed in 2.23.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug dynamic-link/18928] LD_POINTER_GUARD is not ignored for privileged binaries
2015-09-06 23:00 [Bug dynamic-link/18928] New: LD_POINTER_GUARD is not ignored for privileged binaries ppluzhnikov at google dot com
` (3 preceding siblings ...)
2015-10-15 7:50 ` fweimer at redhat dot com
@ 2015-10-17 4:54 ` cvs-commit at gcc dot gnu.org
2015-10-17 4:55 ` cvs-commit at gcc dot gnu.org
2015-10-29 17:07 ` jsm28 at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-10-17 4:54 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18928
--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.22/master has been updated
via dc22a1ec157d02529a0b17986679d3f1c122985e (commit)
from 2b529a82afc15a76185fca16ba7bcc8fbd82d15d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=dc22a1ec157d02529a0b17986679d3f1c122985e
commit dc22a1ec157d02529a0b17986679d3f1c122985e
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Oct 15 09:23:07 2015 +0200
Always enable pointer guard [BZ #18928]
Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
has security implications. This commit enables pointer guard
unconditionally, and the environment variable is now ignored.
[BZ #18928]
* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
_dl_pointer_guard member.
* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
initializer.
(security_init): Always set up pointer guard.
(process_envvars): Do not process LD_POINTER_GUARD.
(cherry picked from commit a014cecd82b71b70a6a843e250e06b541ad524f7)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 10 ++++++++++
NEWS | 5 ++++-
elf/rtld.c | 15 ++++-----------
sysdeps/generic/ldsodefs.h | 3 ---
4 files changed, 18 insertions(+), 15 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug dynamic-link/18928] LD_POINTER_GUARD is not ignored for privileged binaries
2015-09-06 23:00 [Bug dynamic-link/18928] New: LD_POINTER_GUARD is not ignored for privileged binaries ppluzhnikov at google dot com
` (4 preceding siblings ...)
2015-10-17 4:54 ` cvs-commit at gcc dot gnu.org
@ 2015-10-17 4:55 ` cvs-commit at gcc dot gnu.org
2015-10-29 17:07 ` jsm28 at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-10-17 4:55 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18928
--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, gentoo/2.22 has been updated
via bf6a73fb389728f297d942f403bfeac150249a66 (commit)
via 5c4ac5014823e2bc93f74d4a8ac5502f01a9753f (commit)
via cdb1aad567b85b880a1325eb88555b8c8da9159b (commit)
via 6ff3aac23c2caa5c669e74da5f6c5a7264f51e39 (commit)
from adf228f91c11a1bcdf7563d104a2a370d054e482 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bf6a73fb389728f297d942f403bfeac150249a66
commit bf6a73fb389728f297d942f403bfeac150249a66
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Oct 15 09:23:07 2015 +0200
Always enable pointer guard [BZ #18928]
Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
has security implications. This commit enables pointer guard
unconditionally, and the environment variable is now ignored.
[BZ #18928]
* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
_dl_pointer_guard member.
* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
initializer.
(security_init): Always set up pointer guard.
(process_envvars): Do not process LD_POINTER_GUARD.
(cherry picked from commit a014cecd82b71b70a6a843e250e06b541ad524f7)
(cherry picked from commit dc22a1ec157d02529a0b17986679d3f1c122985e)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5c4ac5014823e2bc93f74d4a8ac5502f01a9753f
commit 5c4ac5014823e2bc93f74d4a8ac5502f01a9753f
Author: Roland McGrath <roland@hack.frob.com>
Date: Tue Sep 15 15:27:58 2015 -0700
Use HOST_NAME_MAX for MAXHOSTNAMELEN in <sys/param.h>.
(cherry picked from commit 51f24be7ba5d15313ae94f8fb4500ce07cb98c84)
(cherry picked from commit 666bb4dc55f5a93538d020024c34abad641f50ae)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=cdb1aad567b85b880a1325eb88555b8c8da9159b
commit cdb1aad567b85b880a1325eb88555b8c8da9159b
Author: Roland McGrath <roland@hack.frob.com>
Date: Fri Sep 4 14:37:56 2015 -0700
BZ#18921: Fix opendir inverted o_directory_works test.
(cherry picked from commit bd9e69abb887d78d0d6708fc089cc9f3eabf106d)
(cherry picked from commit 5c8c3123652045191474a4ca85fbb6e8d9e7d2bc)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6ff3aac23c2caa5c669e74da5f6c5a7264f51e39
commit 6ff3aac23c2caa5c669e74da5f6c5a7264f51e39
Author: Brett Neumeier <brett@neumeier.us>
Date: Mon Aug 31 15:27:21 2015 -0700
Fix non-v9 32-bit sparc build.
[BZ #18870]
* sysdeps/sparc/sparc32/sem_open.c: Add missing #include
(cherry picked from commit 36c6e27a26b0afe0187f8790990cf880abdbf244)
-----------------------------------------------------------------------
Summary of changes:
elf/rtld.c | 15 ++++-----------
misc/sys/param.h | 3 +++
sysdeps/generic/ldsodefs.h | 3 ---
sysdeps/posix/opendir.c | 2 +-
sysdeps/sparc/sparc32/sem_open.c | 1 +
5 files changed, 9 insertions(+), 15 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug dynamic-link/18928] LD_POINTER_GUARD is not ignored for privileged binaries
2015-09-06 23:00 [Bug dynamic-link/18928] New: LD_POINTER_GUARD is not ignored for privileged binaries ppluzhnikov at google dot com
` (5 preceding siblings ...)
2015-10-17 4:55 ` cvs-commit at gcc dot gnu.org
@ 2015-10-29 17:07 ` jsm28 at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2015-10-29 17:07 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18928
Joseph Myers <jsm28 at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |2.23
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2015-10-29 17:07 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-09-06 23:00 [Bug dynamic-link/18928] New: LD_POINTER_GUARD is not ignored for privileged binaries ppluzhnikov at google dot com
2015-10-08 8:45 ` [Bug dynamic-link/18928] " fweimer at redhat dot com
2015-10-13 14:00 ` fweimer at redhat dot com
2015-10-15 7:49 ` cvs-commit at gcc dot gnu.org
2015-10-15 7:50 ` fweimer at redhat dot com
2015-10-17 4:54 ` cvs-commit at gcc dot gnu.org
2015-10-17 4:55 ` cvs-commit at gcc dot gnu.org
2015-10-29 17:07 ` jsm28 at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).