On 10/26/10 22:44, Bruce Dubbs wrote:
> Drew Ames wrote:
>
>> Now I have another question. How do I make the patch in the link above
>> into a .patch file that I can apply?
>>
>> Do I fill out the Submitted By, Date, Initial Package Version,
>> Upstream Status, Origin, and Description, at the top,
On Wed, Oct 27, 2010 at 03:07:39AM -0400, linux fan wrote:
>
> IIf one meant howto make
> http://sourceware.org/ml/libc-hacker/2010-10/msg00010.html
> into a patch, it must be reliably copied without space damage by some means.
> Perhaps on that link, could click "raw text", then select all, CTRL-
On 10/26/10, Drew Ames wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 10/26/2010 01:26 AM, DJ Lucas wrote:
>>
>>> That patch is now also available, in LFS format, from
>>>
> http://www.linuxfromscratch.org/patches/downloads/glibc/glibc-2.12.1-origin_fix-1.patch.
>>>
>>> Apply usin
On 10/26/2010 09:44 PM, Bruce Dubbs wrote:
> Drew Ames wrote:
>
>> Now I have another question. How do I make the patch in the link above
>> into a .patch file that I can apply?
>>
>> Do I fill out the Submitted By, Date, Initial Package Version,
>> Upstream Status, Origin, and Description, at the
Drew Ames wrote:
> Now I have another question. How do I make the patch in the link above
> into a .patch file that I can apply?
>
> Do I fill out the Submitted By, Date, Initial Package Version,
> Upstream Status, Origin, and Description, at the top, paste in the
> information from the link star
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/26/2010 01:26 AM, DJ Lucas wrote:
>
>> That patch is now also available, in LFS format, from
>>
http://www.linuxfromscratch.org/patches/downloads/glibc/glibc-2.12.1-origin_fix-1.patch.
>>
>> Apply using the usual 'patch -Np1 -i ../glibc-2.12.1-or
On Tue, Oct 26, 2010 at 12:09:39PM -0500, DJ Lucas wrote:
> "Bruce Dubbs" wrote:
> >
> >Is there a special technique or did you just do a make install?
>
> Just a straight "make install" but keep in mind that it was same version,
> just the patches added. I also have backups of all installed f
- Original Message -
From: "Bruce Dubbs"
To: "LFS Developers Mailinglist"
Sent: Tuesday, October 26, 2010 6:13 PM
Subject: Re: Glibc vulnerability . . . implications for LFS?
> DJ Lucas wrote:
> > On 10/26/2010 04:51 AM, Matthew Burgess wrote:
> >&g
"Bruce Dubbs" wrote:
>DJ Lucas wrote:
>> Also, just for kicks, I did a live update of Glibc on system running
>> Gnome at the time. It had been a while since I had done an in-place
>> update of glibc but no problems as usual. Of course I rebooted pretty
>> quick, but I haven't had any issues wit
DJ Lucas wrote:
> On 10/26/2010 04:51 AM, Matthew Burgess wrote:
>> Thanks DJ! Was that in conjunction with the original patch I submitted,
>> or instead of?
>>
>> Regards,
>>
>> Matt.
>>
> Yes, both patches were applied.
>
> Also, just for kicks, I did a live update of Glibc on system running
>
On 10/26/2010 04:51 AM, Matthew Burgess wrote:
>
> Thanks DJ! Was that in conjunction with the original patch I submitted,
> or instead of?
>
> Regards,
>
> Matt.
>
Yes, both patches were applied.
Also, just for kicks, I did a live update of Glibc on system running
Gnome at the time. It had b
On Tue, 26 Oct 2010 03:51:48 -0500, DJ Lucas wrote:
> On 10/26/2010 12:26 AM, DJ Lucas wrote:
>
>>
>> Additional part. Haven't tested.
>>
>> http://sourceware.org/ml/libc-hacker/2010-10/msg00010.html
>>
>> Makes LD_AUDIT behave same as LD_PRELOAD.
>>
>> Will rebuild glibc in a few moments on thi
On 10/26/2010 12:26 AM, DJ Lucas wrote:
>
> Additional part. Haven't tested.
>
> http://sourceware.org/ml/libc-hacker/2010-10/msg00010.html
>
> Makes LD_AUDIT behave same as LD_PRELOAD.
>
> Will rebuild glibc in a few moments on this system see if it fixes it.
That got it on 2.11.1.
-- DJ
On 10/24/2010 11:14 AM, Matthew Burgess wrote:
> On Sun, 24 Oct 2010 9:59:25 -0600, Matthew Burgess
> wrote:
>> On Sun, 24 Oct 2010 11:38:27 -0400, Drew Ames wrote:
>>
>>> 1) Is it worth downloading and using the development version of Glibc
>>> from git://sourceware.org/git/glibc.git to build L
On Mon, 25 Oct 2010 02:17:48 -0500, DJ Lucas wrote:
> That should have worked. Did you try a reboot before testing to clear
> cache?
Yes, I rebooted. Thanks for confirming in your other mail that the patch
doesn't have the desired effect. I guess we'll have to wait and see what
happens on the
On 10/24/2010 06:13 PM, Matthew Burgess wrote:
> On Sun, 24 Oct 2010 16:32:48 -0600, Matthew Burgess
> wrote:
>
>> It'll be a while until I run another full build, but I'm recompiling glibc
>> now, with the patch I uploaded earlier. I'll post results tomorrow, but
>> expect it to work just fine
On 10/25/2010 01:57 AM, Matthew Burgess wrote:
> On Sun, 24 Oct 2010 19:13:09 -0700, Bryan Kadzban
> wrote:
>
>> Well, if I had any other users on this system, I'd think about patching
>> 2.10.1 and trying it out -- but since I don't, I'll probably just wait
>> until the next full system rebuild
On 10/25/2010 01:57 AM, Matthew Burgess wrote:
> On Sun, 24 Oct 2010 19:13:09 -0700, Bryan Kadzban
> wrote:
>
>> Well, if I had any other users on this system, I'd think about patching
>> 2.10.1 and trying it out -- but since I don't, I'll probably just wait
>> until the next full system rebuild
On 10/24/2010 09:48 PM, Bruce Dubbs wrote:
> Bryan Kadzban wrote:
>
>> Ah, I think I see. You have to put libbad.so into /lib64 (emulating
>> libpcprofile), then set LD_AUDIT to just "libbad.so.0", with no path.
>> At that point it works as expected (at least for me). (Though this is a
>> multil
On Sun, 24 Oct 2010 19:13:09 -0700, Bryan Kadzban
wrote:
> Well, if I had any other users on this system, I'd think about patching
> 2.10.1 and trying it out -- but since I don't, I'll probably just wait
> until the next full system rebuild. (Replacing glibc on a running
> system is ... nontriv
On Sun, 24 Oct 2010 21:48:39 -0500, Bruce Dubbs wrote:
> Bryan Kadzban wrote:
>
>> Ah, I think I see. You have to put libbad.so into /lib64 (emulating
>> libpcprofile), then set LD_AUDIT to just "libbad.so.0", with no path.
>> At that point it works as expected (at least for me). (Though this i
Bryan Kadzban wrote:
> Ah, I think I see. You have to put libbad.so into /lib64 (emulating
> libpcprofile), then set LD_AUDIT to just "libbad.so.0", with no path.
> At that point it works as expected (at least for me). (Though this is a
> multilib setup. But ping is 64-bit; on a single-bit-widt
Matthew Burgess wrote:
> On Sun, 24 Oct 2010 10:25:26 -0700, Bryan Kadzban
> wrote:
>
>> You can make your own simple library like this:
>>
>> cat >
>>
>> void __attribute__((constructor)) init() {
>> mkdir(getenv("EXPLOIT_TGT"), 0755); } EOF gcc -fPIC -sh
On Sun, 24 Oct 2010 16:32:48 -0600, Matthew Burgess
wrote:
> It'll be a while until I run another full build, but I'm recompiling glibc
> now, with the patch I uploaded earlier. I'll post results tomorrow, but
> expect it to work just fine.
Well, it didn't appear to fix the vulnerability here,
On Sun, 24 Oct 2010 10:25:26 -0700, Bryan Kadzban
wrote:
> You can make your own simple library like this:
>
> cat #include
> #include
> #include
>
> void __attribute__((constructor)) init() {
> mkdir(getenv("EXPLOIT_TGT"), 0755);
> }
> EOF
> gcc -fPIC -shared -o /tmp/libbad.so.0
Matthew Burgess wrote:
> Quoting from the vulnerability description above:
>
> "This security issue allows a local attacker to gain root if they can
> create a hard link to a setuid root binary."
>
> So, on your system, is that possible?
That's actually not the only exploit vector. See the fol
On Sun, 24 Oct 2010 9:59:25 -0600, Matthew Burgess
wrote:
> On Sun, 24 Oct 2010 11:38:27 -0400, Drew Ames wrote:
>
>> 1) Is it worth downloading and using the development version of Glibc
>> from git://sourceware.org/git/glibc.git to build LFS with the updated
>> source?
>
> I wouldn't be keen
On Sun, 24 Oct 2010 11:38:27 -0400, Drew Ames wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi all,
>
> Here's an interesting security update from Slackware that gives some
> information on a recent vulnerability exposed in Glibc:
>
> glibc-2.11.1-i486-4_slack13.1.txz: Rebuilt.
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi all,
Here's an interesting security update from Slackware that gives some
information on a recent vulnerability exposed in Glibc:
glibc-2.11.1-i486-4_slack13.1.txz: Rebuilt.
Patched "dynamic linker expands $ORIGIN in setuid library
search p
29 matches
Mail list logo
