Re: CVE-2010-3847 fixed or not?

To: Arne Wichmann <aw@anhrefn.saar.de>
Cc: debian-security@lists.debian.org
Subject: Re: CVE-2010-3847 fixed or not?
From: Kees Cook <kees@debian.org>
Date: Mon, 11 Apr 2011 10:52:55 -0700
Message-id: <[🔎] 20110411175255.GS4050@outflux.net>
In-reply-to: <[🔎] 20110407171325.GB15356@anhrefn.saar.de>
References: <20110322153500.332623ea.michael.s.gilbert@gmail.com> <[🔎] 20110407171325.GB15356@anhrefn.saar.de>

Hi Arne,

The first thing to point out is that Debian was never vulnerable to
CVE-2010-3847 because of an assertion in dl_open_worker(). (Distros
vulnerable to it had disabled those asserts.)

On Thu, Apr 07, 2011 at 07:13:25PM +0200, Arne Wichmann wrote:
> Ok, I had a look at the issue, and a far as I can see
> debian/patches/any/cvs-ignore-origin-privileged.diff (which is applied)
> does fix the problems.

Correct, though it is usually combined with
patches/any/cvs-dont-expand-dst-twice.diff which is from upstream commit:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=22cd1c9bcf57c5829d65b6da825f7a459d40c9eb
which was originally proposed as
http://sourceware.org/ml/libc-hacker/2010-10/msg00008.html along with
http://sourceware.org/ml/libc-hacker/2010-12/msg00001.html *which has not
been taken upstream* but was applied to Fedora's glibc tree.
This is the above patch (cvs-ignore-origin-privileged.diff), which is
why it's still being carried.

Note that cvs-ignore-origin-privileged.diff was (incorrectly?) removed in
2.13-0exp3. But since Debian was never vulnerable to CVE-2010-3847 in the
first place, this may not be a problem.

> I can not claim to have understood the topic in its entirety, though and I
> am by no means an expert in *libc. As such I do not understand the
> patches/any/cvs-dont-expand-dst-twice.diff and
> debian/patches/any/cvs-audit-suid.diff, though they seem to address the
> problems described in CVE-2010-3856.

debian/patches/any/cvs-audit-suid.diff is from the accepted upstream fix
for CVE-2010-3856:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=8e9f92e9d5d7737afdacf79b76d98c4c42980508

Note that Ubuntu carries an additional proactive patch for CVE-2010-3856:
http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/maverick/eglibc/maverick-security/view/head:/debian/patches/any/disable-ld_audit.diff

> So, somebody else might still have a look at that.

CVE-2010-3847 is a real mess, especially since I *think* upstream hasn't
entirely fixed it.

-Kees

-- 
Kees Cook                                            @debian.org

Reply to:

Follow-Ups:
- Re: CVE-2010-3847 fixed or not?
  - From: Arne Wichmann <aw@anhrefn.saar.de>

References:
- Re: CVE-2010-3847 fixed or not?
  - From: Arne Wichmann <aw@anhrefn.saar.de>

Prev by Date: Re: [SECURITY] [DSA 2216-1] isc-dhcp security update
Next by Date: Re: CVE-2010-3847 fixed or not?
Previous by thread: Re: CVE-2010-3847 fixed or not?
Next by thread: Re: CVE-2010-3847 fixed or not?
Index(es):
- Date
- Thread