Bug#816023: jessie-pu: package glibc/2.19-18+deb8u4
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Dear stable release team,
I would like to do an upload of glibc in jessie to fix a longstanding
security issue with the pt_chown helper (CVE-2013-2207). The upstream
solution is to just remove the pt_chown helper and rely on the kernel
to properly set up the permissions through the devpts filesystem. The
userland in jessie correctly mounts it with the correct permissions,
but given the ill kernel implementation, any subsequent mount of the
devpts filesystem without the "newinstance" option (e.g. /etc/fstab or
in a chroot) reset all the permissions for all mounts, breaking systems.
That's why we have deferred the update so far, preferring to leave a
low security issue open and avoid breaking many systems.
It seems that with the development of kernel namespaces there are more
way to trigger this security issue, so it's probably time to fix it. We
have found a way to not break systems in case the devpts filesystem is
mounted with the wrong permissions. This is been accepted upstream and
is present in testing and sid for more than 2 months, without any report
of system breakage.
I would therefore like to get this issue also fixed in jessie. I am
confident this patch will not break any system, that said it's probably
better to leave the package in jessie-proposed-updates for a few weeks
and call for testing.
At the same time I would like to fix a small issue introduced in the
last security update, which causes a test in the testsuite to use a lof
of system resources, even causing timeout when the build machine has a
lot of swap like on our build daemons. It doesn't changes the binaries
shipped in the package.
You'll find the full debdiff below.
Thanks for considering,
Aurelien
diff --git a/debian/changelog b/debian/changelog
index 19e3a4e..8b6054e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+glibc (2.19-18+deb8u4) UNRELEASED; urgency=medium
+
+ [ Aurelien Jarno ]
+ * Update from upstream stable branch:
+ - Fixes bug18240 failing with a timeout on machines with a lot of swap.
+ * patches/any/cvs-grantpt-pty-owner.diff: new patch from upstream to
+ improve granpt when /dev/pts is not mounted with the correct options.
+ * rules.d/debhelper.mk: only install pt_chown when built.
+ * sysdeps/linux.mk: don't build pt_chown (CVE-2013-2207). Closes: #717544.
+
+ -- Aurelien Jarno <aurel32@debian.org> Tue, 16 Feb 2016 23:02:13 +0100
+
glibc (2.19-18+deb8u3) stable-security; urgency=medium
[ Aurelien Jarno ]
diff --git a/debian/patches/any/cvs-grantpt-pty-owner.diff b/debian/patches/any/cvs-grantpt-pty-owner.diff
new file mode 100644
index 0000000..2ff35bb
--- /dev/null
+++ b/debian/patches/any/cvs-grantpt-pty-owner.diff
@@ -0,0 +1,46 @@
+2015-12-10 Aurelien Jarno <aurelien@aurel32.net>
+ Jakub Wilk <jwilk@debian.org>
+
+ [BZ #19347]
+ * sysdeps/unix/grantpt.c [!HAVE_PT_CHOWN] (grantpt): Do not try
+ to change the group of the device to the tty group.
+
+--- a/sysdeps/unix/grantpt.c
++++ b/sysdeps/unix/grantpt.c
+@@ -155,6 +155,7 @@ grantpt (int fd)
+ }
+ gid_t gid = tty_gid == -1 ? __getgid () : tty_gid;
+
++#if HAVE_PT_CHOWN
+ /* Make sure the group of the device is that special group. */
+ if (st.st_gid != gid)
+ {
+@@ -164,9 +165,26 @@ grantpt (int fd)
+
+ /* Make sure the permission mode is set to readable and writable by
+ the owner, and writable by the group. */
+- if ((st.st_mode & ACCESSPERMS) != (S_IRUSR|S_IWUSR|S_IWGRP))
++ mode_t mode = S_IRUSR|S_IWUSR|S_IWGRP;
++#else
++ /* When built without pt_chown, we have delegated the creation of the
++ pty node with the right group and permission mode to the kernel, and
++ non-root users are unlikely to be able to change it. Therefore let's
++ consider that POSIX enforcement is the responsibility of the whole
++ system and not only the GNU libc. Thus accept different group or
++ permission mode. */
++
++ /* Make sure the permission is set to readable and writable by the
++ owner. For security reasons, make it writable by the group only
++ when originally writable and when the group of the device is that
++ special group. */
++ mode_t mode = S_IRUSR|S_IWUSR|
++ ((st.st_gid == gid) ? (st.st_mode & S_IWGRP) : 0);
++#endif
++
++ if ((st.st_mode & ACCESSPERMS) != mode)
+ {
+- if (__chmod (buf, S_IRUSR|S_IWUSR|S_IWGRP) < 0)
++ if (__chmod (buf, mode) < 0)
+ goto helper;
+ }
+
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index ca3bd98..1a24dd0 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,14 @@
GIT update of git://sourceware.org/git/glibc.git/release/2.19/master from glibc-2.19
diff --git a/ChangeLog b/ChangeLog
-index 81c393a..e17bd64 100644
+index 81c393a..9907019 100644
--- a/ChangeLog
+++ b/ChangeLog
-@@ -1,3 +1,439 @@
+@@ -1,3 +1,443 @@
++2016-02-12 Florian Weimer <fweimer@redhat.com>
++
++ * misc/bug18240.c (do_test): Set RLIMIT_AS.
++
+2016-01-27 Paul Eggert <eggert@cs.ucla.edu>
+
+ [BZ #18240]
@@ -1651,10 +1655,10 @@ index b039182..ad9e921 100644
endif
diff --git a/misc/bug18240.c b/misc/bug18240.c
new file mode 100644
-index 0000000..4b26865
+index 0000000..773586e
--- /dev/null
+++ b/misc/bug18240.c
-@@ -0,0 +1,75 @@
+@@ -0,0 +1,97 @@
+/* Test integer wraparound in hcreate.
+ Copyright (C) 2016 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
@@ -1679,6 +1683,7 @@ index 0000000..4b26865
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
++#include <sys/resource.h>
+
+static void
+test_size (size_t size)
@@ -1715,6 +1720,27 @@ index 0000000..4b26865
+static int
+do_test (void)
+{
++ /* Limit the size of the process, so that memory allocation will
++ fail without impacting the entire system. */
++ {
++ struct rlimit limit;
++ if (getrlimit (RLIMIT_AS, &limit) != 0)
++ {
++ printf ("getrlimit (RLIMIT_AS) failed: %m\n");
++ return 1;
++ }
++ long target = 100 * 1024 * 1024;
++ if (limit.rlim_cur == RLIM_INFINITY || limit.rlim_cur > target)
++ {
++ limit.rlim_cur = target;
++ if (setrlimit (RLIMIT_AS, &limit) != 0)
++ {
++ printf ("setrlimit (RLIMIT_AS) failed: %m\n");
++ return 1;
++ }
++ }
++ }
++
+ test_size (500);
+ test_size (-1);
+ test_size (-3);
diff --git a/debian/patches/series b/debian/patches/series
index edef141..7421910 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -276,3 +276,4 @@ any/cvs-ld_pointer_guard.diff
any/cvs-mangle-tls_dtor_list.diff
any/cvs-strxfrm-buffer-overflows.diff
any/local-CVE-2015-7547.diff
+any/cvs-grantpt-pty-owner.diff
diff --git a/debian/rules.d/debhelper.mk b/debian/rules.d/debhelper.mk
index 5a41212..f4e8277 100644
--- a/debian/rules.d/debhelper.mk
+++ b/debian/rules.d/debhelper.mk
@@ -170,6 +170,7 @@ $(stamp)debhelper-common:
case $$y in \
*.install) \
sed -e "s/^#.*//" -i $$y ; \
+ $(if $(filter $(pt_chown),no),sed -e "/pt_chown/d" -i $$y ;) \
;; \
esac; \
done
diff --git a/debian/sysdeps/linux.mk b/debian/sysdeps/linux.mk
index 41d59cc..df056e5 100644
--- a/debian/sysdeps/linux.mk
+++ b/debian/sysdeps/linux.mk
@@ -2,8 +2,8 @@
MIN_KERNEL_SUPPORTED := 2.6.32
libc = libc6
-# Build and expect pt_chown on this platform
-pt_chown = yes
+# Do not build pt_chown on this platform
+pt_chown = no
# NPTL Config
threads = yes
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to: