[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2010-3847 fixed or not?

Hi Arne,

The first thing to point out is that Debian was never vulnerable to
CVE-2010-3847 because of an assertion in dl_open_worker(). (Distros
vulnerable to it had disabled those asserts.)

On Thu, Apr 07, 2011 at 07:13:25PM +0200, Arne Wichmann wrote:
> Ok, I had a look at the issue, and a far as I can see
> debian/patches/any/cvs-ignore-origin-privileged.diff (which is applied)
> does fix the problems.

Correct, though it is usually combined with
patches/any/cvs-dont-expand-dst-twice.diff which is from upstream commit:
which was originally proposed as
http://sourceware.org/ml/libc-hacker/2010-10/msg00008.html along with
http://sourceware.org/ml/libc-hacker/2010-12/msg00001.html *which has not
been taken upstream* but was applied to Fedora's glibc tree.
This is the above patch (cvs-ignore-origin-privileged.diff), which is
why it's still being carried.

Note that cvs-ignore-origin-privileged.diff was (incorrectly?) removed in
2.13-0exp3. But since Debian was never vulnerable to CVE-2010-3847 in the
first place, this may not be a problem.

> I can not claim to have understood the topic in its entirety, though and I
> am by no means an expert in *libc. As such I do not understand the
> patches/any/cvs-dont-expand-dst-twice.diff and
> debian/patches/any/cvs-audit-suid.diff, though they seem to address the
> problems described in CVE-2010-3856.

debian/patches/any/cvs-audit-suid.diff is from the accepted upstream fix
for CVE-2010-3856:

Note that Ubuntu carries an additional proactive patch for CVE-2010-3856:

> So, somebody else might still have a look at that.

CVE-2010-3847 is a real mess, especially since I *think* upstream hasn't
entirely fixed it.


Kees Cook                                            @debian.org

Reply to: