From 1a6af40ca94a10091519d1ec06007056dbbdb260 Mon Sep 17 00:00:00 2001 From: Siddhesh Poyarekar Date: Mon, 19 Aug 2013 17:35:11 +0530 Subject: [PATCH] Remove pt_chown (CVE-2013-2207). --- glibc-fedora-pt_chown.patch | 57 --------- glibc-rh984829.patch | 239 ++++++++++++++++++++++++++++++++++++ glibc.spec | 16 ++- 3 files changed, 246 insertions(+), 66 deletions(-) delete mode 100644 glibc-fedora-pt_chown.patch create mode 100644 glibc-rh984829.patch diff --git a/glibc-fedora-pt_chown.patch b/glibc-fedora-pt_chown.patch deleted file mode 100644 index f64f449..0000000 --- a/glibc-fedora-pt_chown.patch +++ /dev/null @@ -1,57 +0,0 @@ -From ee3d4021aaaeacff7cf2addcdaa48859fffba2aa Mon Sep 17 00:00:00 2001 -From: Andreas Schwab -Date: Thu, 3 Feb 2011 15:45:02 +0100 -Subject: [PATCH] Replace setuid by file capabilities - -* login/programs/pt_chown.c (main): Check for valid file -descriptor instead of privileges. Be careful to drop all -capabilities when not needed. - ---- - ChangeLog | 6 ++++++ - login/programs/pt_chown.c | 14 +++++++++----- - 3 files changed, 16 insertions(+), 6 deletions(-) - ---- a/login/programs/pt_chown.c -+++ b/login/programs/pt_chown.c -@@ -28,6 +28,7 @@ - #include - #include - #include -+#include - #ifdef HAVE_LIBCAP - # include - # include -@@ -142,7 +143,7 @@ main (int argc, char *argv[]) - uid_t uid = getuid (); - int remaining; - -- if (argc == 1 && euid == 0) -+ if (argc == 1 && fcntl (PTY_FILENO, F_GETFD) == 0) - { - #ifdef HAVE_LIBCAP - /* Drop privileges. */ -@@ -175,6 +176,13 @@ main (int argc, char *argv[]) - - /* We aren't going to be using privileges, so drop them right now. */ - setuid (uid); -+#ifdef HAVE_LIBCAP -+ cap_t caps = cap_init (); -+ if (caps == NULL) -+ error (1, errno, "cap_init"); -+ cap_set_proc (caps); -+ cap_free (caps); -+#endif - - /* Set locale via LC_ALL. */ - setlocale (LC_ALL, ""); -@@ -194,9 +202,5 @@ main (int argc, char *argv[]) - return EXIT_FAILURE; - } - -- /* Check if we are properly installed. */ -- if (euid != 0) -- error (FAIL_EXEC, 0, gettext ("needs to be installed setuid `root'")); -- - return EXIT_SUCCESS; - } diff --git a/glibc-rh984829.patch b/glibc-rh984829.patch new file mode 100644 index 0000000..f9c8f2e --- /dev/null +++ b/glibc-rh984829.patch @@ -0,0 +1,239 @@ +#* CVE-2013-2207 Incorrectly granting access to another user's pseudo-terminal +# has been fixed by disabling the use of pt_chown (Bugzilla #15755). +# Distributions can re-enable building and using pt_chown via the new configure +# option `--enable-pt_chown'. Enabling the use of pt_chown carries with it +# considerable security risks and should only be used if the distribution +# understands and accepts the risks. +# +#2013-07-21 Siddhesh Poyarekar +# Andreas Schwab +# Roland McGrath +# Joseph Myers +# Carlos O'Donell +# +# [BZ #15755] +# * config.h.in: Define HAVE_PT_CHOWN. +# * config.make.in (build-pt-chown): New variable. +# * configure.in (--enable-pt_chown): New configure option. +# * configure: Regenerate. +# * login/Makefile: Include Makeconfig. Build pt_chown only if +# build-pt-chown is enabled. +# * sysdeps/unix/grantpt.c (grantpt) [HAVE_PT_CHOWN]: Spawn +# pt_chown to fix pty ownership. +# * sysdeps/unix/sysv/linux/grantpt.c [HAVE_PT_CHOWN]: Define +# CLOSE_ALL_FDS. +# * manual/install.texi (Configuring and compiling): Mention +# --enable-pt_chown. Add @findex for grantpt. +# * INSTALL: Regenerate. +# +diff -Nrup a/config.h.in b/config.h.in +--- a/config.h.in 2012-12-24 22:02:13.000000000 -0500 ++++ b/config.h.in 2013-07-24 00:20:07.651301252 -0400 +@@ -232,4 +232,7 @@ + /* The ARM hard-float ABI is being used. */ + #undef HAVE_ARM_PCS_VFP + ++/* The pt_chown binary is being built and used by grantpt. */ ++#undef HAVE_PT_CHOWN ++ + #endif +diff -Nrup a/config.make.in b/config.make.in +--- a/config.make.in 2012-12-24 22:02:13.000000000 -0500 ++++ b/config.make.in 2013-07-24 00:21:15.244176098 -0400 +@@ -101,6 +101,7 @@ force-install = @force_install@ + link-obsolete-rpc = @link_obsolete_rpc@ + build-nscd = @build_nscd@ + use-nscd = @use_nscd@ ++build-pt-chown = @build_pt_chown@ + + # Build tools. + CC = @CC@ +diff -Nrup a/configure b/configure +--- a/configure 2013-07-24 00:25:10.090174244 -0400 ++++ b/configure 2013-07-24 00:20:07.769174345 -0400 +@@ -653,6 +653,7 @@ multi_arch + base_machine + add_on_subdirs + add_ons ++build_pt_chown + build_nscd + link_obsolete_rpc + libc_cv_nss_crypt +@@ -759,6 +760,7 @@ enable_obsolete_rpc + enable_systemtap + enable_build_nscd + enable_nscd ++enable_pt_chown + with_cpu + ' + ac_precious_vars='build_alias +@@ -1419,6 +1421,7 @@ Optional Features: + --enable-systemtap enable systemtap static probe points [default=no] + --disable-build-nscd disable building and installing the nscd daemon + --disable-nscd library functions will not contact the nscd daemon ++ --enable-pt_chown Enable building and installing pt_chown + + Optional Packages: + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] +@@ -3934,6 +3937,19 @@ else + fi + + ++# Check whether --enable-pt_chown was given. ++if test "${enable_pt_chown+set}" = set; then : ++ enableval=$enable_pt_chown; build_pt_chown=$enableval ++else ++ build_pt_chown=no ++fi ++ ++ ++if test $build_pt_chown = yes; then ++ $as_echo "#define HAVE_PT_CHOWN 1" >>confdefs.h ++ ++fi ++ + # The way shlib-versions is used to generate soversions.mk uses a + # fairly simplistic model for name recognition that can't distinguish + # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os +diff -Nrup a/configure.in b/configure.in +--- a/configure.in 2012-12-24 22:02:13.000000000 -0500 ++++ b/configure.in 2013-07-24 00:20:07.658298658 -0400 +@@ -315,6 +315,16 @@ AC_ARG_ENABLE([nscd], + [use_nscd=$enableval], + [use_nscd=yes]) + ++AC_ARG_ENABLE([pt_chown], ++ [AS_HELP_STRING([--enable-pt_chown], ++ [Enable building and installing pt_chown])], ++ [build_pt_chown=$enableval], ++ [build_pt_chown=no]) ++AC_SUBST(build_pt_chown) ++if test $build_pt_chown = yes; then ++ AC_DEFINE(HAVE_PT_CHOWN) ++fi ++ + # The way shlib-versions is used to generate soversions.mk uses a + # fairly simplistic model for name recognition that can't distinguish + # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os +diff -Nrup a/INSTALL b/INSTALL +--- a/INSTALL 2012-12-24 22:02:13.000000000 -0500 ++++ b/INSTALL 2013-07-24 00:20:07.650300624 -0400 +@@ -128,6 +128,18 @@ will be used, and CFLAGS sets optimizati + this can be prevented though there generally is no reason since it + creates compatibility problems. + ++`--enable-pt_chown' ++ The file `pt_chown' is a helper binary for `grantpt' (*note ++ Pseudo-Terminals: Allocation.) that is installed setuid root to ++ fix up pseudo-terminal ownership. It is not built by default ++ because systems using the Linux kernel are commonly built with the ++ `devpts' filesystem enabled and mounted at `/dev/pts', which ++ manages pseudo-terminal ownership automatically. By using ++ `--enable-pt_chown', you may build `pt_chown' and install it ++ setuid and owned by `root'. The use of `pt_chown' introduces ++ additional security risks to the system and you should enable it ++ only if you understand and accept those risks. ++ + `--build=BUILD-SYSTEM' + `--host=HOST-SYSTEM' + These options are for cross-compiling. If you specify both +diff -Nrup a/login/Makefile b/login/Makefile +--- a/login/Makefile 2012-12-24 22:02:13.000000000 -0500 ++++ b/login/Makefile 2013-07-24 00:20:07.660298670 -0400 +@@ -29,9 +29,15 @@ routines := getutent getutent_r getutid + + CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"' + +-others = utmpdump pt_chown ++others = utmpdump ++ ++include ../Makeconfig ++ ++ifeq (yes,$(build-pt-chown)) ++others += pt_chown + others-pie = pt_chown + install-others-programs = $(inst_libexecdir)/pt_chown ++endif + + subdir-dirs = programs + vpath %.c programs +diff -Nrup a/manual/install.texi b/manual/install.texi +--- a/manual/install.texi 2012-12-24 22:02:13.000000000 -0500 ++++ b/manual/install.texi 2013-07-24 00:20:07.662298261 -0400 +@@ -155,6 +155,20 @@ if the used tools support it. By using + prevented though there generally is no reason since it creates + compatibility problems. + ++@pindex pt_chown ++@findex grantpt ++@item --enable-pt_chown ++The file @file{pt_chown} is a helper binary for @code{grantpt} ++(@pxref{Allocation, Pseudo-Terminals}) that is installed setuid root to ++fix up pseudo-terminal ownership. It is not built by default because ++systems using the Linux kernel are commonly built with the @code{devpts} ++filesystem enabled and mounted at @file{/dev/pts}, which manages ++pseudo-terminal ownership automatically. By using ++@samp{--enable-pt_chown}, you may build @file{pt_chown} and install it ++setuid and owned by @code{root}. The use of @file{pt_chown} introduces ++additional security risks to the system and you should enable it only if ++you understand and accept those risks. ++ + @item --build=@var{build-system} + @itemx --host=@var{host-system} + These options are for cross-compiling. If you specify both options and +diff -Nrup a/sysdeps/unix/grantpt.c b/sysdeps/unix/grantpt.c +--- a/sysdeps/unix/grantpt.c 2012-12-24 22:02:13.000000000 -0500 ++++ b/sysdeps/unix/grantpt.c 2013-07-24 00:20:07.663299235 -0400 +@@ -173,9 +173,10 @@ grantpt (int fd) + retval = 0; + goto cleanup; + +- /* We have to use the helper program. */ ++ /* We have to use the helper program if it is available. */ + helper:; + ++#ifdef HAVE_PT_CHOWN + pid_t pid = __fork (); + if (pid == -1) + goto cleanup; +@@ -190,9 +191,9 @@ grantpt (int fd) + if (__dup2 (fd, PTY_FILENO) < 0) + _exit (FAIL_EBADF); + +-#ifdef CLOSE_ALL_FDS ++# ifdef CLOSE_ALL_FDS + CLOSE_ALL_FDS (); +-#endif ++# endif + + execle (_PATH_PT_CHOWN, basename (_PATH_PT_CHOWN), NULL, NULL); + _exit (FAIL_EXEC); +@@ -231,6 +232,7 @@ grantpt (int fd) + assert(! "getpt: internal error: invalid exit code from pt_chown"); + } + } ++#endif + + cleanup: + if (buf != _buf) +diff -Nrup a/sysdeps/unix/sysv/linux/grantpt.c b/sysdeps/unix/sysv/linux/grantpt.c +--- a/sysdeps/unix/sysv/linux/grantpt.c 2012-12-24 22:02:13.000000000 -0500 ++++ b/sysdeps/unix/sysv/linux/grantpt.c 2013-07-24 00:20:07.664298465 -0400 +@@ -11,7 +11,7 @@ + + #include "pty-private.h" + +- ++#if HAVE_PT_CHOWN + /* Close all file descriptors except the one specified. */ + static void + close_all_fds (void) +@@ -38,6 +38,7 @@ close_all_fds (void) + __dup2 (STDOUT_FILENO, STDERR_FILENO); + } + } +-#define CLOSE_ALL_FDS() close_all_fds() ++# define CLOSE_ALL_FDS() close_all_fds() ++#endif + + #include diff --git a/glibc.spec b/glibc.spec index f75db1a..341341f 100644 --- a/glibc.spec +++ b/glibc.spec @@ -27,7 +27,7 @@ Summary: The GNU libc libraries Name: glibc Version: %{glibcversion} -Release: 11%{?dist} +Release: 12%{?dist} # GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries. # Things that are linked directly into dynamically linked programs # and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional @@ -93,7 +93,6 @@ Patch0014: %{name}-fedora-nptl-linklibc.patch Patch0015: %{name}-fedora-localedef.patch Patch0016: %{name}-fedora-i386-tls-direct-seg-refs.patch Patch0017: %{name}-fedora-gai-canonical.patch -Patch0018: %{name}-fedora-pt_chown.patch Patch0019: %{name}-fedora-nis-rh188246.patch Patch0020: %{name}-fedora-manual-dircategory.patch Patch0024: %{name}-fedora-locarchive.patch @@ -122,6 +121,7 @@ Patch1004: %{name}-rh977874.patch Patch1005: %{name}-rh977875.patch Patch1006: %{name}-rh977887.patch Patch1007: %{name}-rh977887-2.patch +Patch1008: %{name}-rh984829.patch # # Patches submitted, but not yet approved upstream. @@ -396,7 +396,6 @@ package or when debugging this package. %patch0015 -p1 %patch0016 -p1 %patch0017 -p1 -%patch0018 -p1 %patch0019 -p1 %patch0020 -p1 %patch2021 -p1 @@ -427,6 +426,7 @@ package or when debugging this package. %patch1005 -p1 %patch1006 -p1 %patch1007 -p1 +%patch1008 -p1 # On powerpc32, hp timing is only available in power4/power6 # libs, not in base, so pre-power4 dynamic linker is incompatible @@ -574,7 +574,6 @@ GCC=`cat Gcc` rm -rf $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT make -j1 install_root=$RPM_BUILD_ROOT install -C build-%{target} %{silentrules} -chmod +x $RPM_BUILD_ROOT%{_prefix}/libexec/pt_chown %ifnarch %{auxarches} cd build-%{target} && \ make %{?_smp_mflags} install_root=$RPM_BUILD_ROOT install-locales -C ../localedata objdir=`pwd` && \ @@ -821,7 +820,6 @@ grep '%{_prefix}/share' < rpm.filelist | \ sed -i -e '\|%{_prefix}/bin|d' \ -e '\|%{_prefix}/lib/locale|d' \ - -e '\|%{_prefix}/libexec/pt_chown|d' \ -e '\|%{_prefix}/sbin/[^gi]|d' \ -e '\|%{_prefix}/share|d' rpm.filelist @@ -960,9 +958,8 @@ eu-readelf -hS $RPM_BUILD_ROOT/usr/bin/getconf $RPM_BUILD_ROOT/usr/libexec/getco find_debuginfo_args='--strict-build-id -g' %ifarch %{debuginfocommonarches} -echo %{_prefix}/libexec/pt_chown > workaround.filelist find_debuginfo_args="$find_debuginfo_args \ - -l common.filelist -l utils.filelist -l nscd.filelist -l workaround.filelist \ + -l common.filelist -l utils.filelist -l nscd.filelist \ -p '.*/(sbin|libexec)/.*' \ -o debuginfocommon.filelist \ -l rpm.filelist -l nosegneg.filelist \ @@ -1023,7 +1020,6 @@ sed -e '/%%dir/d;/%%config/d;/%%verify/d;s/%%lang([^)]*) //;s#^/*##' \ common.filelist devel.filelist static.filelist headers.filelist \ utils.filelist nscd.filelist debuginfocommon.filelist | (cd $RPM_BUILD_ROOT; xargs --no-run-if-empty rm -f 2> /dev/null || :) -rm -f $RPM_BUILD_ROOT%{_prefix}/libexec/pt_chown %else @@ -1174,7 +1170,6 @@ rm -f *.filelist* %attr(0644,root,root) %verify(not md5 size mtime mode) %ghost %config(missingok,noreplace) %{_prefix}/lib/locale/locale-archive %dir %attr(755,root,root) /etc/default %verify(not md5 size mtime) %config(noreplace) /etc/default/nss -%attr(755,root,root) %caps(cap_chown,cap_fowner=pe) %{_prefix}/libexec/pt_chown %doc documentation/* %files -f devel.filelist devel @@ -1222,6 +1217,9 @@ rm -f *.filelist* %endif %changelog +* Mon Aug 19 2013 Siddhesh Poyarekar - 2.17-12 +- Disable pt_chown (#984829, CVE-2013-2207). + * Tue Jun 25 2013 Siddhesh Poyarekar - 2.17-11 - Fix libm performance regression due to set/restore rounding mode (#977887).