[glibc/f19] Remove pt_chown (CVE-2013-2207).
Siddhesh Poyarekar
siddhesh at fedoraproject.org
Mon Aug 19 12:40:42 UTC 2013
commit 1a6af40ca94a10091519d1ec06007056dbbdb260
Author: Siddhesh Poyarekar <siddhesh at redhat.com>
Date: Mon Aug 19 17:35:11 2013 +0530
Remove pt_chown (CVE-2013-2207).
glibc-fedora-pt_chown.patch | 57 ----------
glibc-rh984829.patch | 239 +++++++++++++++++++++++++++++++++++++++++++
glibc.spec | 16 ++--
3 files changed, 246 insertions(+), 66 deletions(-)
---
diff --git a/glibc-rh984829.patch b/glibc-rh984829.patch
new file mode 100644
index 0000000..f9c8f2e
--- /dev/null
+++ b/glibc-rh984829.patch
@@ -0,0 +1,239 @@
+#* CVE-2013-2207 Incorrectly granting access to another user's pseudo-terminal
+# has been fixed by disabling the use of pt_chown (Bugzilla #15755).
+# Distributions can re-enable building and using pt_chown via the new configure
+# option `--enable-pt_chown'. Enabling the use of pt_chown carries with it
+# considerable security risks and should only be used if the distribution
+# understands and accepts the risks.
+#
+#2013-07-21 Siddhesh Poyarekar <siddhesh at redhat.com>
+# Andreas Schwab <schwab at suse.de>
+# Roland McGrath <roland at hack.frob.com>
+# Joseph Myers <joseph at codesourcery.com>
+# Carlos O'Donell <carlos at redhat.com>
+#
+# [BZ #15755]
+# * config.h.in: Define HAVE_PT_CHOWN.
+# * config.make.in (build-pt-chown): New variable.
+# * configure.in (--enable-pt_chown): New configure option.
+# * configure: Regenerate.
+# * login/Makefile: Include Makeconfig. Build pt_chown only if
+# build-pt-chown is enabled.
+# * sysdeps/unix/grantpt.c (grantpt) [HAVE_PT_CHOWN]: Spawn
+# pt_chown to fix pty ownership.
+# * sysdeps/unix/sysv/linux/grantpt.c [HAVE_PT_CHOWN]: Define
+# CLOSE_ALL_FDS.
+# * manual/install.texi (Configuring and compiling): Mention
+# --enable-pt_chown. Add @findex for grantpt.
+# * INSTALL: Regenerate.
+#
+diff -Nrup a/config.h.in b/config.h.in
+--- a/config.h.in 2012-12-24 22:02:13.000000000 -0500
++++ b/config.h.in 2013-07-24 00:20:07.651301252 -0400
+@@ -232,4 +232,7 @@
+ /* The ARM hard-float ABI is being used. */
+ #undef HAVE_ARM_PCS_VFP
+
++/* The pt_chown binary is being built and used by grantpt. */
++#undef HAVE_PT_CHOWN
++
+ #endif
+diff -Nrup a/config.make.in b/config.make.in
+--- a/config.make.in 2012-12-24 22:02:13.000000000 -0500
++++ b/config.make.in 2013-07-24 00:21:15.244176098 -0400
+@@ -101,6 +101,7 @@ force-install = @force_install@
+ link-obsolete-rpc = @link_obsolete_rpc@
+ build-nscd = @build_nscd@
+ use-nscd = @use_nscd@
++build-pt-chown = @build_pt_chown@
+
+ # Build tools.
+ CC = @CC@
+diff -Nrup a/configure b/configure
+--- a/configure 2013-07-24 00:25:10.090174244 -0400
++++ b/configure 2013-07-24 00:20:07.769174345 -0400
+@@ -653,6 +653,7 @@ multi_arch
+ base_machine
+ add_on_subdirs
+ add_ons
++build_pt_chown
+ build_nscd
+ link_obsolete_rpc
+ libc_cv_nss_crypt
+@@ -759,6 +760,7 @@ enable_obsolete_rpc
+ enable_systemtap
+ enable_build_nscd
+ enable_nscd
++enable_pt_chown
+ with_cpu
+ '
+ ac_precious_vars='build_alias
+@@ -1419,6 +1421,7 @@ Optional Features:
+ --enable-systemtap enable systemtap static probe points [default=no]
+ --disable-build-nscd disable building and installing the nscd daemon
+ --disable-nscd library functions will not contact the nscd daemon
++ --enable-pt_chown Enable building and installing pt_chown
+
+ Optional Packages:
+ --with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
+@@ -3934,6 +3937,19 @@ else
+ fi
+
+
++# Check whether --enable-pt_chown was given.
++if test "${enable_pt_chown+set}" = set; then :
++ enableval=$enable_pt_chown; build_pt_chown=$enableval
++else
++ build_pt_chown=no
++fi
++
++
++if test $build_pt_chown = yes; then
++ $as_echo "#define HAVE_PT_CHOWN 1" >>confdefs.h
++
++fi
++
+ # The way shlib-versions is used to generate soversions.mk uses a
+ # fairly simplistic model for name recognition that can't distinguish
+ # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os
+diff -Nrup a/configure.in b/configure.in
+--- a/configure.in 2012-12-24 22:02:13.000000000 -0500
++++ b/configure.in 2013-07-24 00:20:07.658298658 -0400
+@@ -315,6 +315,16 @@ AC_ARG_ENABLE([nscd],
+ [use_nscd=$enableval],
+ [use_nscd=yes])
+
++AC_ARG_ENABLE([pt_chown],
++ [AS_HELP_STRING([--enable-pt_chown],
++ [Enable building and installing pt_chown])],
++ [build_pt_chown=$enableval],
++ [build_pt_chown=no])
++AC_SUBST(build_pt_chown)
++if test $build_pt_chown = yes; then
++ AC_DEFINE(HAVE_PT_CHOWN)
++fi
++
+ # The way shlib-versions is used to generate soversions.mk uses a
+ # fairly simplistic model for name recognition that can't distinguish
+ # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os
+diff -Nrup a/INSTALL b/INSTALL
+--- a/INSTALL 2012-12-24 22:02:13.000000000 -0500
++++ b/INSTALL 2013-07-24 00:20:07.650300624 -0400
+@@ -128,6 +128,18 @@ will be used, and CFLAGS sets optimizati
+ this can be prevented though there generally is no reason since it
+ creates compatibility problems.
+
++`--enable-pt_chown'
++ The file `pt_chown' is a helper binary for `grantpt' (*note
++ Pseudo-Terminals: Allocation.) that is installed setuid root to
++ fix up pseudo-terminal ownership. It is not built by default
++ because systems using the Linux kernel are commonly built with the
++ `devpts' filesystem enabled and mounted at `/dev/pts', which
++ manages pseudo-terminal ownership automatically. By using
++ `--enable-pt_chown', you may build `pt_chown' and install it
++ setuid and owned by `root'. The use of `pt_chown' introduces
++ additional security risks to the system and you should enable it
++ only if you understand and accept those risks.
++
+ `--build=BUILD-SYSTEM'
+ `--host=HOST-SYSTEM'
+ These options are for cross-compiling. If you specify both
+diff -Nrup a/login/Makefile b/login/Makefile
+--- a/login/Makefile 2012-12-24 22:02:13.000000000 -0500
++++ b/login/Makefile 2013-07-24 00:20:07.660298670 -0400
+@@ -29,9 +29,15 @@ routines := getutent getutent_r getutid
+
+ CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"'
+
+-others = utmpdump pt_chown
++others = utmpdump
++
++include ../Makeconfig
++
++ifeq (yes,$(build-pt-chown))
++others += pt_chown
+ others-pie = pt_chown
+ install-others-programs = $(inst_libexecdir)/pt_chown
++endif
+
+ subdir-dirs = programs
+ vpath %.c programs
+diff -Nrup a/manual/install.texi b/manual/install.texi
+--- a/manual/install.texi 2012-12-24 22:02:13.000000000 -0500
++++ b/manual/install.texi 2013-07-24 00:20:07.662298261 -0400
+@@ -155,6 +155,20 @@ if the used tools support it. By using
+ prevented though there generally is no reason since it creates
+ compatibility problems.
+
++ at pindex pt_chown
++ at findex grantpt
++ at item --enable-pt_chown
++The file @file{pt_chown} is a helper binary for @code{grantpt}
++(@pxref{Allocation, Pseudo-Terminals}) that is installed setuid root to
++fix up pseudo-terminal ownership. It is not built by default because
++systems using the Linux kernel are commonly built with the @code{devpts}
++filesystem enabled and mounted at @file{/dev/pts}, which manages
++pseudo-terminal ownership automatically. By using
++ at samp{--enable-pt_chown}, you may build @file{pt_chown} and install it
++setuid and owned by @code{root}. The use of @file{pt_chown} introduces
++additional security risks to the system and you should enable it only if
++you understand and accept those risks.
++
+ @item --build=@var{build-system}
+ @itemx --host=@var{host-system}
+ These options are for cross-compiling. If you specify both options and
+diff -Nrup a/sysdeps/unix/grantpt.c b/sysdeps/unix/grantpt.c
+--- a/sysdeps/unix/grantpt.c 2012-12-24 22:02:13.000000000 -0500
++++ b/sysdeps/unix/grantpt.c 2013-07-24 00:20:07.663299235 -0400
+@@ -173,9 +173,10 @@ grantpt (int fd)
+ retval = 0;
+ goto cleanup;
+
+- /* We have to use the helper program. */
++ /* We have to use the helper program if it is available. */
+ helper:;
+
++#ifdef HAVE_PT_CHOWN
+ pid_t pid = __fork ();
+ if (pid == -1)
+ goto cleanup;
+@@ -190,9 +191,9 @@ grantpt (int fd)
+ if (__dup2 (fd, PTY_FILENO) < 0)
+ _exit (FAIL_EBADF);
+
+-#ifdef CLOSE_ALL_FDS
++# ifdef CLOSE_ALL_FDS
+ CLOSE_ALL_FDS ();
+-#endif
++# endif
+
+ execle (_PATH_PT_CHOWN, basename (_PATH_PT_CHOWN), NULL, NULL);
+ _exit (FAIL_EXEC);
+@@ -231,6 +232,7 @@ grantpt (int fd)
+ assert(! "getpt: internal error: invalid exit code from pt_chown");
+ }
+ }
++#endif
+
+ cleanup:
+ if (buf != _buf)
+diff -Nrup a/sysdeps/unix/sysv/linux/grantpt.c b/sysdeps/unix/sysv/linux/grantpt.c
+--- a/sysdeps/unix/sysv/linux/grantpt.c 2012-12-24 22:02:13.000000000 -0500
++++ b/sysdeps/unix/sysv/linux/grantpt.c 2013-07-24 00:20:07.664298465 -0400
+@@ -11,7 +11,7 @@
+
+ #include "pty-private.h"
+
+-
++#if HAVE_PT_CHOWN
+ /* Close all file descriptors except the one specified. */
+ static void
+ close_all_fds (void)
+@@ -38,6 +38,7 @@ close_all_fds (void)
+ __dup2 (STDOUT_FILENO, STDERR_FILENO);
+ }
+ }
+-#define CLOSE_ALL_FDS() close_all_fds()
++# define CLOSE_ALL_FDS() close_all_fds()
++#endif
+
+ #include <sysdeps/unix/grantpt.c>
diff --git a/glibc.spec b/glibc.spec
index f75db1a..341341f 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -27,7 +27,7 @@
Summary: The GNU libc libraries
Name: glibc
Version: %{glibcversion}
-Release: 11%{?dist}
+Release: 12%{?dist}
# GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
# Things that are linked directly into dynamically linked programs
# and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
@@ -93,7 +93,6 @@ Patch0014: %{name}-fedora-nptl-linklibc.patch
Patch0015: %{name}-fedora-localedef.patch
Patch0016: %{name}-fedora-i386-tls-direct-seg-refs.patch
Patch0017: %{name}-fedora-gai-canonical.patch
-Patch0018: %{name}-fedora-pt_chown.patch
Patch0019: %{name}-fedora-nis-rh188246.patch
Patch0020: %{name}-fedora-manual-dircategory.patch
Patch0024: %{name}-fedora-locarchive.patch
@@ -122,6 +121,7 @@ Patch1004: %{name}-rh977874.patch
Patch1005: %{name}-rh977875.patch
Patch1006: %{name}-rh977887.patch
Patch1007: %{name}-rh977887-2.patch
+Patch1008: %{name}-rh984829.patch
#
# Patches submitted, but not yet approved upstream.
@@ -396,7 +396,6 @@ package or when debugging this package.
%patch0015 -p1
%patch0016 -p1
%patch0017 -p1
-%patch0018 -p1
%patch0019 -p1
%patch0020 -p1
%patch2021 -p1
@@ -427,6 +426,7 @@ package or when debugging this package.
%patch1005 -p1
%patch1006 -p1
%patch1007 -p1
+%patch1008 -p1
# On powerpc32, hp timing is only available in power4/power6
# libs, not in base, so pre-power4 dynamic linker is incompatible
@@ -574,7 +574,6 @@ GCC=`cat Gcc`
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT
make -j1 install_root=$RPM_BUILD_ROOT install -C build-%{target} %{silentrules}
-chmod +x $RPM_BUILD_ROOT%{_prefix}/libexec/pt_chown
%ifnarch %{auxarches}
cd build-%{target} && \
make %{?_smp_mflags} install_root=$RPM_BUILD_ROOT install-locales -C ../localedata objdir=`pwd` && \
@@ -821,7 +820,6 @@ grep '%{_prefix}/share' < rpm.filelist | \
sed -i -e '\|%{_prefix}/bin|d' \
-e '\|%{_prefix}/lib/locale|d' \
- -e '\|%{_prefix}/libexec/pt_chown|d' \
-e '\|%{_prefix}/sbin/[^gi]|d' \
-e '\|%{_prefix}/share|d' rpm.filelist
@@ -960,9 +958,8 @@ eu-readelf -hS $RPM_BUILD_ROOT/usr/bin/getconf $RPM_BUILD_ROOT/usr/libexec/getco
find_debuginfo_args='--strict-build-id -g'
%ifarch %{debuginfocommonarches}
-echo %{_prefix}/libexec/pt_chown > workaround.filelist
find_debuginfo_args="$find_debuginfo_args \
- -l common.filelist -l utils.filelist -l nscd.filelist -l workaround.filelist \
+ -l common.filelist -l utils.filelist -l nscd.filelist \
-p '.*/(sbin|libexec)/.*' \
-o debuginfocommon.filelist \
-l rpm.filelist -l nosegneg.filelist \
@@ -1023,7 +1020,6 @@ sed -e '/%%dir/d;/%%config/d;/%%verify/d;s/%%lang([^)]*) //;s#^/*##' \
common.filelist devel.filelist static.filelist headers.filelist \
utils.filelist nscd.filelist debuginfocommon.filelist |
(cd $RPM_BUILD_ROOT; xargs --no-run-if-empty rm -f 2> /dev/null || :)
-rm -f $RPM_BUILD_ROOT%{_prefix}/libexec/pt_chown
%else
@@ -1174,7 +1170,6 @@ rm -f *.filelist*
%attr(0644,root,root) %verify(not md5 size mtime mode) %ghost %config(missingok,noreplace) %{_prefix}/lib/locale/locale-archive
%dir %attr(755,root,root) /etc/default
%verify(not md5 size mtime) %config(noreplace) /etc/default/nss
-%attr(755,root,root) %caps(cap_chown,cap_fowner=pe) %{_prefix}/libexec/pt_chown
%doc documentation/*
%files -f devel.filelist devel
@@ -1222,6 +1217,9 @@ rm -f *.filelist*
%endif
%changelog
+* Mon Aug 19 2013 Siddhesh Poyarekar <siddhesh at redhat.com> - 2.17-12
+- Disable pt_chown (#984829, CVE-2013-2207).
+
* Tue Jun 25 2013 Siddhesh Poyarekar <siddhesh at redhat.com> - 2.17-11
- Fix libm performance regression due to set/restore rounding mode (#977887).
More information about the scm-commits
mailing list