Package: libc6
Version: 2.31-13+deb11u3
Severity: normal
Tags: patch
X-Debbugs-Cc: iwien...@redhat.com
Dear Maintainer,
The glibc bug
https://sourceware.org/bugzilla/show_bug.cgi?id=24941
fixed by
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=27fe5f2e67a0e4cc0526b1b32b55f8e519075edb
provides fixes for the grantpt() call deadlocking after fork(). This
seems rather esoteric, but has caused difficult to debug issues for
Ansible users, e.g.
https://github.com/ansible/ansible/issues/59642
In opendev.org CI (zuul.opendev.org) several users hit this in various
ways as our execution environment is based on Debian Bullseye. We
have pulled a more recent glibc into our images with
https://review.opendev.org/c/zuul/zuul/+/849795
But hopefully we can find a solution that is helpful to everyone.
I have pulled the patch and applied it with minor fuzz updates against
2.31-13+deb11u3. Could we consider having this applied?
Thanks,
-i
-- System Information:
Debian Release: 11.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.18.10-200.fc36.x86_64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages libc6 depends on:
ii libcrypt1 1:4.4.18-4
ii libgcc-s1 10.2.1-6
Versions of packages libc6 recommends:
ii libidn2-0 2.3.0-5
pn libnss-nis
pn libnss-nisplus
Versions of packages libc6 suggests:
ii debconf [debconf-2.0] 1.5.77
pn glibc-doc
pn libc-l10n
pn locales
-- debconf information excluded
commit 27fe5f2e67a0e4cc0526b1b32b55f8e519075edb
Author: Florian Weimer
Date: Wed Oct 7 14:55:04 2020 +0200
Linux: Require properly configured /dev/pts for PTYs
Current systems do not have BSD terminals, so the fallback code in
posix_openpt/getpt does not do anything. Also remove the file system
check for /dev/pts. Current systems always have a devpts file system
mounted there if /dev/ptmx exists.
grantpt is now essentially a no-op. It only verifies that the
argument is a ptmx-descriptor. Therefore, this change indirectly
addresses bug 24941.
Reviewed-by: Adhemerval Zanella
(Cherry-picked by Ian Wienand )
Index: glibc-2.31/INSTALL
===
--- glibc-2.31.orig/INSTALL
+++ glibc-2.31/INSTALL
@@ -184,14 +184,9 @@ if 'CFLAGS' is specified it must enable
'--enable-pt_chown'
The file 'pt_chown' is a helper binary for 'grantpt' (*note
Pseudo-Terminals: Allocation.) that is installed setuid root to fix
- up pseudo-terminal ownership. It is not built by default because
- systems using the Linux kernel are commonly built with the 'devpts'
- filesystem enabled and mounted at '/dev/pts', which manages
- pseudo-terminal ownership automatically. By using
- '--enable-pt_chown', you may build 'pt_chown' and install it setuid
- and owned by 'root'. The use of 'pt_chown' introduces additional
- security risks to the system and you should enable it only if you
- understand and accept those risks.
+ up pseudo-terminal ownership on GNU/Hurd. It is not required on
+ GNU/Linux, and the GNU C Library will not use the installed
+ 'pt_chown' program when configured with '--enable-pt_chown'.
'--disable-werror'
By default, the GNU C Library is built with '-Werror'. If you wish
Index: glibc-2.31/NEWS
===
--- glibc-2.31.orig/NEWS
+++ glibc-2.31/NEWS
@@ -399,6 +399,18 @@ Changes to build and runtime requirement
Older GCC versions and non-GNU compilers are still supported when
compiling programs that use the GNU C Library.
+* On Linux, the system administrator needs to configure /dev/pts with
+ the intended access modes for pseudo-terminals. glibc no longer
+ attemps to adjust permissions of terminal devices. The previous glibc
+ defaults ("tty" group, user read/write and group write) already
+ corresponded to what most systems used, so that grantpt did not
+ perform any adjustments.
+
+* On Linux, the posix_openpt and getpt functions no longer attempt to
+ use legacy (BSD) pseudo-terminals and assume that if /dev/ptmx exists
+ (and pseudo-terminals are supported), a devpts file system is mounted
+ on /dev/pts. Current systems already meet these requirements.
+
Security related changes:
CVE-2019-7309: x86-64 memcmp used signed Jcc instructions to check
Index: glibc-2.31/sysdeps/unix/sysv/linux/getpt.c
===
--- glibc-2.31.orig/sysdeps/unix/sysv/linux/getpt.c
+++ glibc-2.31/sysdeps/unix/sysv/linux/getpt.c
@@ -16,69 +16,18 @@
License along with the GNU C Library; if not, see