diff -u eglibc-2.15/debian/control eglibc-2.15/debian/control --- eglibc-2.15/debian/control +++ eglibc-2.15/debian/control @@ -74,38 +74,6 @@ This package contains the sources and patches which are needed to build eglibc. -Package: locales -Architecture: all -Section: localization -Priority: standard -Depends: ${locale:Depends}, ${misc:Depends}, debconf | debconf-2.0 -Conflicts: base-config, belocs-locales-bin, belocs-locales-data -Replaces: base-config, lliurex-belocs-locales-data -Description: Embedded GNU C Library: National Language (locale) data [support] - Machine-readable data files, shared objects and programs used by the - C library for localization (l10n) and internationalization (i18n) support. - . - This package contains the libc.mo i18n files, plus tools to generate - locale definitions from source files (included in this package). It - allows you to customize which definitions actually get - generated. This is a space-saver over how this package used to be, - with all locales generated by default. This created a package that - unpacked to an excess of 30 megs. - -Package: locales-all -Architecture: any -Section: localization -Priority: extra -Multi-Arch: foreign -Pre-Depends: dpkg (>= 1.15.6) -Depends: ${locale:Depends}, ${misc:Depends}, lzma -Provides: locales -Description: Embedded GNU C Library: Precompiled locale data - This package contains the precompiled locale data for all supported locales. - A better alternative is to install the locales package and only select - desired locales, but it can be useful on a low-memory machine because some - locale files take a lot of memory to be compiled. - Package: nscd Architecture: any Section: admin diff -u eglibc-2.15/debian/changelog eglibc-2.15/debian/changelog --- eglibc-2.15/debian/changelog +++ eglibc-2.15/debian/changelog @@ -1,3 +1,46 @@ +eglibc (2.15-0ubuntu10.23) precise-security; urgency=medium + + * Removing locale/locales-all from debian/control since in Precise + it uses langpack-locales and no binary is created in eglibc for locales + + -- Leonidas S. Barbosa Thu, 05 Mar 2020 13:38:43 -0300 + +eglibc (2.15-0ubuntu10.22) precise-security; urgency=medium + + * SECURITY UPDATE: Integer overflow + - debian/patch/CVE-2018-6485.patch: fix integer overflows in + internal memallign and malloc functions in + malloc/malloc.c. + - CVE-2018-6485 + + -- Leonidas S. Barbosa Fri, 06 Dec 2019 21:19:38 -0300 + +eglibc (2.15-0ubuntu10.21) precise-security; urgency=medium + + * SECURITY UPDATE: Buffer underflow in realpath() + - debian/patches/any/cvs-make-getcwd-fail-if-path-is-no-absolute.diff: + Make getcwd(3) fail if it cannot obtain an absolute path + - CVE-2018-1000001 + + -- Chris Coulson Tue, 16 Jan 2018 12:11:46 +0000 + +eglibc (2.15-0ubuntu10.20) precise-security; urgency=medium + + * SECURITY UPDATE: LD_LIBRARY_PATH stack corruption + - debian/patches/any/CVE-2017-1000366.patch: Completely ignore + LD_LIBRARY_PATH for AT_SECURE=1 programs + - CVE-2017-1000366 + * SECURITY UPDATE: LD_PRELOAD stack corruption + - debian/patches/any/upstream-harden-rtld-Reject-overly-long-LD_PRELOAD.patch: + Reject overly long names or names containing directories in + LD_PRELOAD for AT_SECURE=1 programs. + * debian/patches/any/cvs-harden-glibc-malloc-metadata.patch: add + additional consistency check for 1-byte overflows + * debian/patches/any/cvs-harden-ignore-LD_HWCAP_MASK.patch: ignore + LD_HWCAP_MASK for AT_SECURE=1 programs + + -- Steve Beattie Fri, 16 Jun 2017 12:21:27 -0700 + eglibc (2.15-0ubuntu10.18) precise-security; urgency=medium * REGRESSION UPDATE: IPv6 addresses not being returned from a diff -u eglibc-2.15/debian/patches/series eglibc-2.15/debian/patches/series --- eglibc-2.15/debian/patches/series +++ eglibc-2.15/debian/patches/series @@ -231,0 +232,6 @@ +any/CVE-2017-1000366.patch +any/upstream-harden-rtld-Reject-overly-long-LD_PRELOAD.patch +any/cvs-harden-glibc-malloc-metadata.patch +any/cvs-harden-ignore-LD_HWCAP_MASK.patch +any/cvs-make-getcwd-fail-if-path-is-no-absolute.diff +CVE-2018-6485.patch only in patch2: unchanged: --- eglibc-2.15.orig/debian/patches/CVE-2018-6485.patch +++ eglibc-2.15/debian/patches/CVE-2018-6485.patch @@ -0,0 +1,87 @@ +Backported of: + +From d2450a97c3df5527ea0fd49743bc354c979c185f Mon Sep 17 00:00:00 2001 +From: Arjun Shankar +Date: Thu, 18 Jan 2018 16:47:06 +0000 +Subject: [PATCH] Fix integer overflows in internal memalign and malloc + functions [BZ #22343] + +When posix_memalign is called with an alignment less than MALLOC_ALIGNMENT +and a requested size close to SIZE_MAX, it falls back to malloc code +(because the alignment of a block returned by malloc is sufficient to +satisfy the call). In this case, an integer overflow in _int_malloc leads +to posix_memalign incorrectly returning successfully. + +Upon fixing this and writing a somewhat thorough regression test, it was +discovered that when posix_memalign is called with an alignment larger than +MALLOC_ALIGNMENT (so it uses _int_memalign instead) and a requested size +close to SIZE_MAX, a different integer overflow in _int_memalign leads to +posix_memalign incorrectly returning successfully. + +Both integer overflows affect other memory allocation functions that use +_int_malloc (one affected malloc in x86) or _int_memalign as well. + +This commit fixes both integer overflows. In addition to this, it adds a +regression test to guard against false successful allocations by the +following memory allocation functions when called with too-large allocation +sizes and, where relevant, various valid alignments: +malloc, realloc, calloc, reallocarray, memalign, posix_memalign, +aligned_alloc, valloc, and pvalloc. + +(cherry picked from commit 8e448310d74b283c5cd02b9ed7fb997b47bf9b22) + +--- + malloc/malloc.c | 30 ++++++++++++++++++++++-------- + 1 file changed, 22 insertions(+), 8 deletions(-) + +diff --git a/malloc/malloc.c b/malloc/malloc.c +index 3add8a0..420a977 100644 +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -1382,14 +1382,21 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + MINSIZE : \ + ((req) + SIZE_SZ + MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK) + +-/* Same, except also perform argument check */ +- +-#define checked_request2size(req, sz) \ +- if (REQUEST_OUT_OF_RANGE(req)) { \ +- __set_errno (ENOMEM); \ +- return 0; \ +- } \ +- (sz) = request2size(req); ++/* Same, except also perform an argument and result check. First, we check ++ that the padding done by request2size didn't result in an integer ++ overflow. Then we check (using REQUEST_OUT_OF_RANGE) that the resulting ++ size isn't so large that a later alignment would lead to another integer ++ overflow. */ ++#define checked_request2size(req, sz) \ ++({ \ ++ (sz) = request2size (req); \ ++ if (((sz) < (req)) \ ++ || REQUEST_OUT_OF_RANGE (sz)) \ ++ { \ ++ __set_errno (ENOMEM); \ ++ return 0; \ ++ } \ ++}) + + /* + --------------- Physical chunk operations --------------- +@@ -4533,6 +4540,13 @@ _int_memalign(mstate av, size_t alignment, size_t bytes) + */ + + ++ /* Check for overflow. */ ++ if (nb > SIZE_MAX - alignment - MINSIZE) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ + /* Call malloc with worst case padding to hit alignment. */ + + m = (char*)(_int_malloc(av, nb + alignment + MINSIZE)); +-- +2.22.0 + only in patch2: unchanged: --- eglibc-2.15.orig/debian/patches/any/upstream-harden-rtld-Reject-overly-long-LD_PRELOAD.patch +++ eglibc-2.15/debian/patches/any/upstream-harden-rtld-Reject-overly-long-LD_PRELOAD.patch @@ -0,0 +1,108 @@ +From 65ff0b7a085b85271ec8fde99f542281b495e3bc Mon Sep 17 00:00:00 2001 +Message-Id: <65ff0b7a085b85271ec8fde99f542281b495e3bc.1495998948.git.fweimer@redhat.com> +In-Reply-To: +References: +From: Florian Weimer +Date: Sun, 28 May 2017 20:57:40 +0200 +Subject: [PATCH 2/3] rtld: Reject overly long LD_PRELOAD path elements +To: libc-alpha@sourceware.org + +--- + elf/rtld.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 53 insertions(+), 16 deletions(-) + +Index: b/elf/rtld.c +=================================================================== +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -100,6 +100,22 @@ uintptr_t __pointer_chk_guard_local + strong_alias (__pointer_chk_guard_local, __pointer_chk_guard) + #endif + ++/* Check that AT_SECURE=0, or that the passed name does not contain ++ directories and is not overly long. Reject empty names ++ unconditionally. */ ++static bool ++dso_name_valid_for_suid (const char *p) ++{ ++ if (INTUSE(__libc_enable_secure)) ++ { ++ /* Ignore pathnames with directories for AT_SECURE=1 ++ programs, and also skip overlong names. */ ++ size_t len = strlen (p); ++ if (len >= NAME_MAX || memchr (p, '/', len) != NULL) ++ return false; ++ } ++ return *p != '\0'; ++} + + /* List of auditing DSOs. */ + static struct audit_list +@@ -879,6 +895,42 @@ static const char *preloadlist attribute + /* Nonzero if information about versions has to be printed. */ + static int version_info attribute_relro; + ++/* The LD_PRELOAD environment variable gives list of libraries ++ separated by white space or colons that are loaded before the ++ executable's dependencies and prepended to the global scope list. ++ (If the binary is running setuid all elements containing a '/' are ++ ignored since it is insecure.) Return the number of preloads ++ performed. */ ++unsigned int ++handle_ld_preload (const char *preloadlist, struct link_map *main_map) ++{ ++ unsigned int npreloads = 0; ++ const char *p = preloadlist; ++ char fname[PATH_MAX]; ++ ++ while (*p != '\0') ++ { ++ /* Split preload list at space/colon. */ ++ size_t len = strcspn (p, " :"); ++ if (len > 0 && len < PATH_MAX) ++ { ++ memcpy (fname, p, len); ++ fname[len] = '\0'; ++ } ++ else ++ fname[0] = '\0'; ++ ++ /* Skip over the substring and the following delimiter. */ ++ p += len; ++ if (*p == ' ' || *p == ':') ++ ++p; ++ ++ if (dso_name_valid_for_suid (fname)) ++ npreloads += do_preload (fname, main_map, "LD_PRELOAD"); ++ } ++ return npreloads; ++} ++ + static void + dl_main (const ElfW(Phdr) *phdr, + ElfW(Word) phnum, +@@ -1611,23 +1663,8 @@ ERROR: ld.so: object '%s' cannot be load + + if (__builtin_expect (preloadlist != NULL, 0)) + { +- /* The LD_PRELOAD environment variable gives list of libraries +- separated by white space or colons that are loaded before the +- executable's dependencies and prepended to the global scope +- list. If the binary is running setuid all elements +- containing a '/' are ignored since it is insecure. */ +- char *list = strdupa (preloadlist); +- char *p; +- + HP_TIMING_NOW (start); +- +- /* Prevent optimizing strsep. Speed is not important here. */ +- while ((p = (strsep) (&list, " :")) != NULL) +- if (p[0] != '\0' +- && (__builtin_expect (! INTUSE(__libc_enable_secure), 1) +- || strchr (p, '/') == NULL)) +- npreloads += do_preload (p, main_map, "LD_PRELOAD"); +- ++ npreloads += handle_ld_preload (preloadlist, main_map); + HP_TIMING_NOW (stop); + HP_TIMING_DIFF (diff, start, stop); + HP_TIMING_ACCUM_NT (load_time, diff); only in patch2: unchanged: --- eglibc-2.15.orig/debian/patches/any/cvs-make-getcwd-fail-if-path-is-no-absolute.diff +++ eglibc-2.15/debian/patches/any/cvs-make-getcwd-fail-if-path-is-no-absolute.diff @@ -0,0 +1,248 @@ +From 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Sun, 7 Jan 2018 02:03:41 +0000 +Subject: [PATCH] linux: make getcwd(3) fail if it cannot obtain an absolute + path [BZ #22679] + +Currently getcwd(3) can succeed without returning an absolute path +because the underlying getcwd syscall, starting with linux commit +v2.6.36-rc1~96^2~2, may succeed without returning an absolute path. + +This is a conformance issue because "The getcwd() function shall +place an absolute pathname of the current working directory +in the array pointed to by buf, and return buf". + +This is also a security issue because a non-absolute path returned +by getcwd(3) causes a buffer underflow in realpath(3). + +Fix this by checking the path returned by getcwd syscall and falling +back to generic_getcwd if the path is not absolute, effectively making +getcwd(3) fail with ENOENT. The error code is chosen for consistency +with the case when the current directory is unlinked. + +[BZ #22679] +CVE-2018-1000001 +* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to +generic_getcwd if the path returned by getcwd syscall is not absolute. +* io/tst-getcwd-abspath.c: New test. +* io/Makefile (tests): Add tst-getcwd-abspath. + +--- /dev/null ++++ b/io/tst-getcwd-abspath.c +@@ -0,0 +1,180 @@ ++/* BZ #22679 getcwd(3) should not succeed without returning an absolute path. ++ ++ Copyright (C) 2018 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static int do_test (void); ++#define TEST_FUNCTION do_test () ++ ++#include "../test-skeleton.c" ++ ++static char *chroot_dir; ++ ++static void ++become_root (void) ++{ ++#ifdef CLONE_NEWUSER ++ if (unshare (CLONE_NEWUSER | CLONE_NEWNS) == 0) ++ /* Even if we do not have UID zero, we have extended privileges at ++ this point. */ ++ return; ++#endif ++ if (setuid (0) != 0) ++ printf ("warning: could not become root outside namespace (%m)\n"); ++} ++ ++static void ++isolate_in_subprocess (void (*callback) (void *), void *closure) ++{ ++ pid_t pid = fork (); ++ if (pid < 0) ++ { ++ printf ("fork failed: %m"); ++ exit (1); ++ } ++ ++ if (pid == 0) ++ { ++ /* Child process. */ ++ callback (closure); ++ _exit (0); ++ } ++ ++ /* Parent process. */ ++ int status; ++ if (waitpid (pid, &status, 0) < 0) ++ { ++ printf ("waitpid failed: %m"); ++ exit (1); ++ } ++ if (status != 0) ++ { ++ printf ("child process exited with status %d", status); ++ exit (1); ++ } ++} ++ ++static void ++can_chroot_callback (void *closure) ++{ ++ int *result = closure; ++ if (chroot ("/dev") != 0) ++ { ++ *result = errno; ++ return; ++ } ++ *result = 0; ++} ++ ++static bool ++can_chroot (void) ++{ ++ int *result = mmap (NULL, sizeof(*result), PROT_READ | PROT_WRITE, ++ MAP_ANONYMOUS | MAP_SHARED, -1, 0); ++ if (result == MAP_FAILED) ++ { ++ printf ("mmap of %zu bytes failed: %m", sizeof(*result)); ++ exit (1); ++ } ++ *result = 0; ++ isolate_in_subprocess (can_chroot_callback, result); ++ bool ok = *result == 0; ++ if (!ok) ++ { ++ errno = *result; ++ printf ("warning: this process does not support chroot: %m\n"); ++ } ++ if (munmap (result, sizeof(*result)) != 0) ++ { ++ printf ("munmap of %zu bytes failed: %m", sizeof(*result)); ++ exit (1); ++ } ++ return ok; ++} ++ ++/* The actual test. Run it in a subprocess, so that the test harness ++ can remove the temporary directory in --direct mode. */ ++static void ++getcwd_callback (void *closure) ++{ ++ if (chroot (chroot_dir) != 0) ++ { ++ printf ("chroot (\"%s\") failed: %m", chroot_dir); ++ _exit (1); ++ } ++ ++ errno = 0; ++ char *cwd = getcwd (NULL, 0); ++ if (errno != ENOENT) ++ { ++ puts ("unexpected errno for getcwd"); ++ _exit (1); ++ } ++ if (cwd != NULL) ++ { ++ puts ("getcwd succeeded"); ++ _exit (1); ++ } ++ ++ errno = 0; ++ cwd = realpath (".", NULL); ++ if (errno != ENOENT) ++ { ++ puts ("unexpected errno for realpath"); ++ _exit (1); ++ } ++ if (cwd != NULL) ++ { ++ _exit (1); ++ puts ("realpath succeeded"); ++ } ++ ++ _exit (0); ++} ++ ++static int ++do_test (void) ++{ ++ become_root (); ++ if (!can_chroot ()) ++ return 0; ++ ++ if (asprintf(&chroot_dir, "%s/tst-getcwd-abspath-XXXXXX", test_dir) < 0) ++ { ++ printf ("asprintf failed: %m"); ++ exit (1); ++ } ++ if (mkdtemp (chroot_dir) == NULL) ++ { ++ printf ("error: mkdtemp (\"%s\"): %m", chroot_dir); ++ exit (1); ++ } ++ add_temp_file (chroot_dir); ++ ++ isolate_in_subprocess (getcwd_callback, NULL); ++ ++ return 0; ++} +--- a/io/Makefile ++++ b/io/Makefile +@@ -74,7 +74,7 @@ + tst-renameat tst-fchownat tst-fchmodat tst-faccessat \ + tst-symlinkat tst-linkat tst-readlinkat tst-mkdirat \ + tst-mknodat tst-mkfifoat tst-ttyname_r \ +- tst-posix_fallocate ++ tst-posix_fallocate tst-getcwd-abspath + tests-$(OPTION_EGLIBC_FTRAVERSE) += bug-ftw1 bug-ftw2 bug-ftw3 bug-ftw4 \ + bug-ftw5 + +--- a/sysdeps/unix/sysv/linux/getcwd.c ++++ b/sysdeps/unix/sysv/linux/getcwd.c +@@ -109,7 +109,7 @@ + int retval; + + retval = INLINE_SYSCALL (getcwd, 2, CHECK_STRING (path), alloc_size); +- if (retval >= 0) ++ if (retval > 0 && path[0] == '/') + { + # ifndef NO_ALLOCATION + if (buf == NULL && size == 0) +@@ -125,10 +125,10 @@ + return buf; + } + +- /* The system call cannot handle paths longer than a page. +- Neither can the magic symlink in /proc/self. Just use the ++ /* The system call either cannot handle paths longer than a page. ++ or can succeed without returning an absolute path. Just use the + generic implementation right away. */ +- if (errno == ENAMETOOLONG) ++ if (retval >= 0 || errno == ENAMETOOLONG) + { + # ifndef NO_ALLOCATION + if (buf == NULL && size == 0) only in patch2: unchanged: --- eglibc-2.15.orig/debian/patches/any/cvs-harden-glibc-malloc-metadata.patch +++ eglibc-2.15/debian/patches/any/cvs-harden-glibc-malloc-metadata.patch @@ -0,0 +1,33 @@ +From 17f487b7afa7cd6c316040f3e6c86dc96b2eec30 Mon Sep 17 00:00:00 2001 +From: DJ Delorie +Date: Fri, 17 Mar 2017 15:31:38 -0400 +Subject: [PATCH] Further harden glibc malloc metadata against 1-byte + overflows. + +Additional check for chunk_size == next->prev->chunk_size in unlink() + +2017-03-17 Chris Evans + + * malloc/malloc.c (unlink): Add consistency check between size and + next->prev->size, to further harden against 1-byte overflows. + +[Ubuntu note: backported to earlier glibcs that do not have the + prev_size() accessor macro introduced in e9c4fe93; backported to 2.19 + with a different API to the unlink() macro -- sbeattie] +--- + malloc/malloc.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: b/malloc/malloc.c +=================================================================== +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -1405,6 +1405,8 @@ typedef struct malloc_chunk *mbinptr; + + /* Take a chunk off a bin list */ + #define unlink(P, BK, FD) { \ ++ if (__builtin_expect (chunksize(P) != (next_chunk(P))->prev_size, 0)) \ ++ malloc_printerr (check_action, "corrupted size vs. prev_size", P); \ + FD = P->fd; \ + BK = P->bk; \ + if (__builtin_expect (FD->bk != P || BK->fd != P, 0)) \ only in patch2: unchanged: --- eglibc-2.15.orig/debian/patches/any/cvs-harden-ignore-LD_HWCAP_MASK.patch +++ eglibc-2.15/debian/patches/any/cvs-harden-ignore-LD_HWCAP_MASK.patch @@ -0,0 +1,59 @@ +From 1c1243b6fc33c029488add276e56570a07803bfd Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Tue, 7 Mar 2017 20:52:04 +0530 +Subject: [PATCH] Ignore and remove LD_HWCAP_MASK for AT_SECURE programs (bug + #21209) + +The LD_HWCAP_MASK environment variable may alter the selection of +function variants for some architectures. For AT_SECURE process it +means that if an outdated routine has a bug that would otherwise not +affect newer platforms by default, LD_HWCAP_MASK will allow that bug +to be exploited. + +To be on the safe side, ignore and disable LD_HWCAP_MASK for setuid +binaries. + + [BZ #21209] + * elf/rtld.c (process_envvars): Ignore LD_HWCAP_MASK for + AT_SECURE processes. + * sysdeps/generic/unsecvars.h: Add LD_HWCAP_MASK. + * elf/tst-env-setuid.c (test_parent): Test LD_HWCAP_MASK. + (test_child): Likewise. + * elf/Makefile (tst-env-setuid-ENV): Add LD_HWCAP_MASK. +--- + ChangeLog | 10 ++++++++++ + elf/Makefile | 3 ++- + elf/rtld.c | 3 ++- + elf/tst-env-setuid.c | 12 ++++++++++++ + sysdeps/generic/unsecvars.h | 1 + + 5 files changed, 27 insertions(+), 2 deletions(-) + +diff --git a/elf/rtld.c b/elf/rtld.c +index a036ece..5986eaf 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -2404,7 +2404,8 @@ process_envvars (enum mode *modep) + + case 10: + /* Mask for the important hardware capabilities. */ +- if (memcmp (envline, "HWCAP_MASK", 10) == 0) ++ if (!__libc_enable_secure ++ && memcmp (envline, "HWCAP_MASK", 10) == 0) + GLRO(dl_hwcap_mask) = __strtoul_internal (&envline[11], NULL, + 0, 0); + break; +diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h +index a740837..5ea8a4a 100644 +--- a/sysdeps/generic/unsecvars.h ++++ b/sysdeps/generic/unsecvars.h +@@ -16,6 +16,7 @@ + "LD_DEBUG\0" \ + "LD_DEBUG_OUTPUT\0" \ + "LD_DYNAMIC_WEAK\0" \ ++ "LD_HWCAP_MASK\0" \ + "LD_LIBRARY_PATH\0" \ + "LD_ORIGIN_PATH\0" \ + "LD_PRELOAD\0" \ +-- +2.7.4 + only in patch2: unchanged: --- eglibc-2.15.orig/debian/patches/any/CVE-2017-1000366.patch +++ eglibc-2.15/debian/patches/any/CVE-2017-1000366.patch @@ -0,0 +1,35 @@ +From 4d009d39ac9ede0369e268554a181b428f177a80 Mon Sep 17 00:00:00 2001 +Message-Id: <4d009d39ac9ede0369e268554a181b428f177a80.1495998948.git.fweimer@redhat.com> +In-Reply-To: +References: +From: Florian Weimer +Date: Sun, 28 May 2017 20:37:40 +0200 +Subject: [PATCH 1/3] rtld: Completely ignore LD_LIBRARY_PATH for AT_SECURE=1 + programs +To: libc-alpha@sourceware.org + +LD_LIBRARY_PATH can only be used to reorder system search paths, which +is not useful functionality. + +CVE-2017-1000366 +--- + elf/rtld.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/elf/rtld.c b/elf/rtld.c +index 319ef06..824b6cf 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -2419,7 +2419,8 @@ process_envvars (enum mode *modep) + + case 12: + /* The library search path. */ +- if (memcmp (envline, "LIBRARY_PATH", 12) == 0) ++ if (!INTUSE(__libc_enable_secure) ++ && memcmp (envline, "LIBRARY_PATH", 12) == 0) + { + library_path = &envline[13]; + break; +-- +2.9.4 +