Remove pt_chown (CVE-2013-2207).

glibc-fedora-pt_chown.patch

@@ -1,57 +0,0 @@
-From ee3d4021aaaeacff7cf2addcdaa48859fffba2aa Mon Sep 17 00:00:00 2001
-From: Andreas Schwab <schwab@redhat.com>
-Date: Thu, 3 Feb 2011 15:45:02 +0100
-Subject: [PATCH] Replace setuid by file capabilities
-
-* login/programs/pt_chown.c (main): Check for valid file
-descriptor instead of privileges.  Be careful to drop all
-capabilities when not needed.
-
----
- ChangeLog                 |    6 ++++++
- login/programs/pt_chown.c |   14 +++++++++-----
- 3 files changed, 16 insertions(+), 6 deletions(-)
-
---- a/login/programs/pt_chown.c
-+++ b/login/programs/pt_chown.c
-@@ -28,6 +28,7 @@
- #include <string.h>
- #include <sys/stat.h>
- #include <unistd.h>
-+#include <fcntl.h>
- #ifdef HAVE_LIBCAP
- # include <sys/capability.h>
- # include <sys/prctl.h>
-@@ -142,7 +143,7 @@ main (int argc, char *argv[])
-   uid_t uid = getuid ();
-   int remaining;
- 
--  if (argc == 1 && euid == 0)
-+  if (argc == 1 && fcntl (PTY_FILENO, F_GETFD) == 0)
-     {
- #ifdef HAVE_LIBCAP
-   /* Drop privileges.  */
-@@ -175,6 +176,13 @@ main (int argc, char *argv[])
- 
-   /* We aren't going to be using privileges, so drop them right now. */
-   setuid (uid);
-+#ifdef HAVE_LIBCAP
-+  cap_t caps = cap_init ();
-+  if (caps == NULL)
-+    error (1, errno, "cap_init");
-+  cap_set_proc (caps);
-+  cap_free (caps);
-+#endif
- 
-   /* Set locale via LC_ALL.  */
-   setlocale (LC_ALL, "");
-@@ -194,9 +202,5 @@ main (int argc, char *argv[])
-       return EXIT_FAILURE;
-     }
- 
--  /* Check if we are properly installed.  */
--  if (euid != 0)
--    error (FAIL_EXEC, 0, gettext ("needs to be installed setuid `root'"));
--
-   return EXIT_SUCCESS;
- }

glibc-rh984829.patch

@@ -0,0 +1,239 @@
+#* CVE-2013-2207 Incorrectly granting access to another user's pseudo-terminal
+#  has been fixed by disabling the use of pt_chown (Bugzilla #15755).
+#  Distributions can re-enable building and using pt_chown via the new configure
+#  option `--enable-pt_chown'.  Enabling the use of pt_chown carries with it
+#  considerable security risks and should only be used if the distribution
+#  understands and accepts the risks.
+#
+#2013-07-21  Siddhesh Poyarekar  <siddhesh@redhat.com>
+#	    Andreas Schwab  <schwab@suse.de>
+#	    Roland McGrath  <roland@hack.frob.com>
+#	    Joseph Myers  <joseph@codesourcery.com>
+#	    Carlos O'Donell  <carlos@redhat.com>
+#
+#	[BZ #15755]
+#	* config.h.in: Define HAVE_PT_CHOWN.
+#	* config.make.in (build-pt-chown): New variable.
+#	* configure.in (--enable-pt_chown): New configure option.
+#	* configure: Regenerate.
+#	* login/Makefile: Include Makeconfig.  Build pt_chown only if
+#	build-pt-chown is enabled.
+#	* sysdeps/unix/grantpt.c (grantpt) [HAVE_PT_CHOWN]: Spawn
+#	pt_chown to fix pty ownership.
+#	* sysdeps/unix/sysv/linux/grantpt.c [HAVE_PT_CHOWN]: Define
+#	CLOSE_ALL_FDS.
+#	* manual/install.texi (Configuring and compiling): Mention
+#	--enable-pt_chown. Add @findex for grantpt.
+#	* INSTALL: Regenerate.
+#
+diff -Nrup a/config.h.in b/config.h.in
+--- a/config.h.in	2012-12-24 22:02:13.000000000 -0500
++++ b/config.h.in	2013-07-24 00:20:07.651301252 -0400
+@@ -232,4 +232,7 @@
+ /* The ARM hard-float ABI is being used.  */
+ #undef HAVE_ARM_PCS_VFP
+ 
++/* The pt_chown binary is being built and used by grantpt.  */
++#undef HAVE_PT_CHOWN
++
+ #endif
+diff -Nrup a/config.make.in b/config.make.in
+--- a/config.make.in	2012-12-24 22:02:13.000000000 -0500
++++ b/config.make.in	2013-07-24 00:21:15.244176098 -0400
+@@ -101,6 +101,7 @@ force-install = @force_install@
+ link-obsolete-rpc = @link_obsolete_rpc@
+ build-nscd = @build_nscd@
+ use-nscd = @use_nscd@
++build-pt-chown = @build_pt_chown@
+ 
+ # Build tools.
+ CC = @CC@
+diff -Nrup a/configure b/configure
+--- a/configure	2013-07-24 00:25:10.090174244 -0400
++++ b/configure	2013-07-24 00:20:07.769174345 -0400
+@@ -653,6 +653,7 @@ multi_arch
+ base_machine
+ add_on_subdirs
+ add_ons
++build_pt_chown
+ build_nscd
+ link_obsolete_rpc
+ libc_cv_nss_crypt
+@@ -759,6 +760,7 @@ enable_obsolete_rpc
+ enable_systemtap
+ enable_build_nscd
+ enable_nscd
++enable_pt_chown
+ with_cpu
+ '
+       ac_precious_vars='build_alias
+@@ -1419,6 +1421,7 @@ Optional Features:
+   --enable-systemtap      enable systemtap static probe points [default=no]
+   --disable-build-nscd    disable building and installing the nscd daemon
+   --disable-nscd          library functions will not contact the nscd daemon
++  --enable-pt_chown       Enable building and installing pt_chown
+ 
+ Optional Packages:
+   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
+@@ -3934,6 +3937,19 @@ else
+ fi
+ 
+ 
++# Check whether --enable-pt_chown was given.
++if test "${enable_pt_chown+set}" = set; then :
++  enableval=$enable_pt_chown; build_pt_chown=$enableval
++else
++  build_pt_chown=no
++fi
++
++
++if test $build_pt_chown = yes; then
++  $as_echo "#define HAVE_PT_CHOWN 1" >>confdefs.h
++
++fi
++
+ # The way shlib-versions is used to generate soversions.mk uses a
+ # fairly simplistic model for name recognition that can't distinguish
+ # i486-pc-linux-gnu fully from i486-pc-gnu.  So we mutate a $host_os
+diff -Nrup a/configure.in b/configure.in
+--- a/configure.in	2012-12-24 22:02:13.000000000 -0500
++++ b/configure.in	2013-07-24 00:20:07.658298658 -0400
+@@ -315,6 +315,16 @@ AC_ARG_ENABLE([nscd],
+ 	      [use_nscd=$enableval],
+ 	      [use_nscd=yes])
+ 
++AC_ARG_ENABLE([pt_chown],
++	      [AS_HELP_STRING([--enable-pt_chown],
++	       [Enable building and installing pt_chown])],
++	      [build_pt_chown=$enableval],
++	      [build_pt_chown=no])
++AC_SUBST(build_pt_chown)
++if test $build_pt_chown = yes; then
++  AC_DEFINE(HAVE_PT_CHOWN)
++fi
++
+ # The way shlib-versions is used to generate soversions.mk uses a
+ # fairly simplistic model for name recognition that can't distinguish
+ # i486-pc-linux-gnu fully from i486-pc-gnu.  So we mutate a $host_os
+diff -Nrup a/INSTALL b/INSTALL
+--- a/INSTALL	2012-12-24 22:02:13.000000000 -0500
++++ b/INSTALL	2013-07-24 00:20:07.650300624 -0400
+@@ -128,6 +128,18 @@ will be used, and CFLAGS sets optimizati
+      this can be prevented though there generally is no reason since it
+      creates compatibility problems.
+ 
++`--enable-pt_chown'
++     The file `pt_chown' is a helper binary for `grantpt' (*note
++     Pseudo-Terminals: Allocation.) that is installed setuid root to
++     fix up pseudo-terminal ownership.  It is not built by default
++     because systems using the Linux kernel are commonly built with the
++     `devpts' filesystem enabled and mounted at `/dev/pts', which
++     manages pseudo-terminal ownership automatically.  By using
++     `--enable-pt_chown', you may build `pt_chown' and install it
++     setuid and owned by `root'.  The use of `pt_chown' introduces
++     additional security risks to the system and you should enable it
++     only if you understand and accept those risks.
++
+ `--build=BUILD-SYSTEM'
+ `--host=HOST-SYSTEM'
+      These options are for cross-compiling.  If you specify both
+diff -Nrup a/login/Makefile b/login/Makefile
+--- a/login/Makefile	2012-12-24 22:02:13.000000000 -0500
++++ b/login/Makefile	2013-07-24 00:20:07.660298670 -0400
+@@ -29,9 +29,15 @@ routines := getutent getutent_r getutid 
+ 
+ CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"'
+ 
+-others = utmpdump pt_chown
++others = utmpdump
++
++include ../Makeconfig
++
++ifeq (yes,$(build-pt-chown))
++others += pt_chown
+ others-pie = pt_chown
+ install-others-programs = $(inst_libexecdir)/pt_chown
++endif
+ 
+ subdir-dirs = programs
+ vpath %.c programs
+diff -Nrup a/manual/install.texi b/manual/install.texi
+--- a/manual/install.texi	2012-12-24 22:02:13.000000000 -0500
++++ b/manual/install.texi	2013-07-24 00:20:07.662298261 -0400
+@@ -155,6 +155,20 @@ if the used tools support it.  By using 
+ prevented though there generally is no reason since it creates
+ compatibility problems.
+ 
++@pindex pt_chown
++@findex grantpt
++@item --enable-pt_chown
++The file @file{pt_chown} is a helper binary for @code{grantpt}
++(@pxref{Allocation, Pseudo-Terminals}) that is installed setuid root to
++fix up pseudo-terminal ownership.  It is not built by default because
++systems using the Linux kernel are commonly built with the @code{devpts}
++filesystem enabled and mounted at @file{/dev/pts}, which manages
++pseudo-terminal ownership automatically.  By using
++@samp{--enable-pt_chown}, you may build @file{pt_chown} and install it
++setuid and owned by @code{root}.  The use of @file{pt_chown} introduces
++additional security risks to the system and you should enable it only if
++you understand and accept those risks.
++
+ @item --build=@var{build-system}
+ @itemx --host=@var{host-system}
+ These options are for cross-compiling.  If you specify both options and
+diff -Nrup a/sysdeps/unix/grantpt.c b/sysdeps/unix/grantpt.c
+--- a/sysdeps/unix/grantpt.c	2012-12-24 22:02:13.000000000 -0500
++++ b/sysdeps/unix/grantpt.c	2013-07-24 00:20:07.663299235 -0400
+@@ -173,9 +173,10 @@ grantpt (int fd)
+   retval = 0;
+   goto cleanup;
+ 
+-  /* We have to use the helper program.  */
++  /* We have to use the helper program if it is available.  */
+  helper:;
+ 
++#ifdef HAVE_PT_CHOWN
+   pid_t pid = __fork ();
+   if (pid == -1)
+     goto cleanup;
+@@ -190,9 +191,9 @@ grantpt (int fd)
+ 	if (__dup2 (fd, PTY_FILENO) < 0)
+ 	  _exit (FAIL_EBADF);
+ 
+-#ifdef CLOSE_ALL_FDS
++# ifdef CLOSE_ALL_FDS
+       CLOSE_ALL_FDS ();
+-#endif
++# endif
+ 
+       execle (_PATH_PT_CHOWN, basename (_PATH_PT_CHOWN), NULL, NULL);
+       _exit (FAIL_EXEC);
+@@ -231,6 +232,7 @@ grantpt (int fd)
+ 	    assert(! "getpt: internal error: invalid exit code from pt_chown");
+ 	  }
+     }
++#endif
+ 
+  cleanup:
+   if (buf != _buf)
+diff -Nrup a/sysdeps/unix/sysv/linux/grantpt.c b/sysdeps/unix/sysv/linux/grantpt.c
+--- a/sysdeps/unix/sysv/linux/grantpt.c	2012-12-24 22:02:13.000000000 -0500
++++ b/sysdeps/unix/sysv/linux/grantpt.c	2013-07-24 00:20:07.664298465 -0400
+@@ -11,7 +11,7 @@
+ 
+ #include "pty-private.h"
+ 
+-
++#if HAVE_PT_CHOWN
+ /* Close all file descriptors except the one specified.  */
+ static void
+ close_all_fds (void)
+@@ -38,6 +38,7 @@ close_all_fds (void)
+       __dup2 (STDOUT_FILENO, STDERR_FILENO);
+     }
+ }
+-#define CLOSE_ALL_FDS() close_all_fds()
++# define CLOSE_ALL_FDS() close_all_fds()
++#endif
+ 
+ #include <sysdeps/unix/grantpt.c>

glibc.spec

@@ -27,7 +27,7 @@
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: 11%{?dist}
+Release: 12%{?dist}
 # GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
 # Things that are linked directly into dynamically linked programs
 # and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
@@ -93,7 +93,6 @@ Patch0014: %{name}-fedora-nptl-linklibc.patch
 Patch0015: %{name}-fedora-localedef.patch
 Patch0016: %{name}-fedora-i386-tls-direct-seg-refs.patch
 Patch0017: %{name}-fedora-gai-canonical.patch
-Patch0018: %{name}-fedora-pt_chown.patch
 Patch0019: %{name}-fedora-nis-rh188246.patch
 Patch0020: %{name}-fedora-manual-dircategory.patch
 Patch0024: %{name}-fedora-locarchive.patch
@@ -122,6 +121,7 @@ Patch1004: %{name}-rh977874.patch
 Patch1005: %{name}-rh977875.patch
 Patch1006: %{name}-rh977887.patch
 Patch1007: %{name}-rh977887-2.patch
+Patch1008: %{name}-rh984829.patch
 
 #
 # Patches submitted, but not yet approved upstream.
@@ -396,7 +396,6 @@ package or when debugging this package.
 %patch0015 -p1
 %patch0016 -p1
 %patch0017 -p1
-%patch0018 -p1
 %patch0019 -p1
 %patch0020 -p1
 %patch2021 -p1
@@ -427,6 +426,7 @@ package or when debugging this package.
 %patch1005 -p1
 %patch1006 -p1
 %patch1007 -p1
+%patch1008 -p1
 
 # On powerpc32, hp timing is only available in power4/power6
 # libs, not in base, so pre-power4 dynamic linker is incompatible
@@ -574,7 +574,6 @@ GCC=`cat Gcc`
 rm -rf $RPM_BUILD_ROOT
 mkdir -p $RPM_BUILD_ROOT
 make -j1 install_root=$RPM_BUILD_ROOT install -C build-%{target} %{silentrules}
-chmod +x $RPM_BUILD_ROOT%{_prefix}/libexec/pt_chown
 %ifnarch %{auxarches}
 cd build-%{target} && \
   make %{?_smp_mflags} install_root=$RPM_BUILD_ROOT install-locales -C ../localedata objdir=`pwd` && \
@@ -821,7 +820,6 @@ grep '%{_prefix}/share' < rpm.filelist | \
 
 sed -i -e '\|%{_prefix}/bin|d' \
        -e '\|%{_prefix}/lib/locale|d' \
-       -e '\|%{_prefix}/libexec/pt_chown|d' \
        -e '\|%{_prefix}/sbin/[^gi]|d' \
        -e '\|%{_prefix}/share|d' rpm.filelist
 
@@ -960,9 +958,8 @@ eu-readelf -hS $RPM_BUILD_ROOT/usr/bin/getconf $RPM_BUILD_ROOT/usr/libexec/getco
 
 find_debuginfo_args='--strict-build-id -g'
 %ifarch %{debuginfocommonarches}
-echo %{_prefix}/libexec/pt_chown > workaround.filelist
 find_debuginfo_args="$find_debuginfo_args \
-  -l common.filelist -l utils.filelist -l nscd.filelist -l workaround.filelist \
+  -l common.filelist -l utils.filelist -l nscd.filelist \
   -p '.*/(sbin|libexec)/.*' \
   -o debuginfocommon.filelist \
   -l rpm.filelist -l nosegneg.filelist \
@@ -1023,7 +1020,6 @@ sed -e '/%%dir/d;/%%config/d;/%%verify/d;s/%%lang([^)]*) //;s#^/*##' \
     common.filelist devel.filelist static.filelist headers.filelist \
     utils.filelist nscd.filelist debuginfocommon.filelist |
 (cd $RPM_BUILD_ROOT; xargs --no-run-if-empty rm -f 2> /dev/null || :)
-rm -f $RPM_BUILD_ROOT%{_prefix}/libexec/pt_chown
 
 %else
 
@@ -1174,7 +1170,6 @@ rm -f *.filelist*
 %attr(0644,root,root) %verify(not md5 size mtime mode) %ghost %config(missingok,noreplace) %{_prefix}/lib/locale/locale-archive
 %dir %attr(755,root,root) /etc/default
 %verify(not md5 size mtime) %config(noreplace) /etc/default/nss
-%attr(755,root,root) %caps(cap_chown,cap_fowner=pe) %{_prefix}/libexec/pt_chown
 %doc documentation/*
 
 %files -f devel.filelist devel
@@ -1222,6 +1217,9 @@ rm -f *.filelist*
 %endif
 
 %changelog
+* Mon Aug 19 2013 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.17-12
+- Disable pt_chown (#984829, CVE-2013-2207).
+
 * Tue Jun 25 2013 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.17-11
   - Fix libm performance regression due to set/restore rounding mode (#977887).