Date: Thursday, December 16, 2010 @ 19:55:50 Author: allan Revision: 103261
binutils-2.21 toolchain rebuild, bump to latest upstream, build outside source directory, remove patches included upstream, update patch for origin privilege expliot from Fedora, keep scsi.h, provide gai.conf Added: glibc/trunk/glibc-2.12.2-ignore-origin-of-privileged-program.patch Modified: glibc/trunk/PKGBUILD glibc/trunk/glibc.install Deleted: glibc/trunk/glibc-2.12.1-but-I-am-an-i686.patch glibc/trunk/glibc-2.12.1-fix-IPTOS_CLASS-definition.patch glibc/trunk/glibc-2.12.1-make-3.82-compatibility.patch glibc/trunk/glibc-2.12.1-never-expand-origin-when-privileged.patch glibc/trunk/glibc-2.12.1-require-suid-on-audit.patch --------------------------------------------------------+ PKGBUILD | 70 +--- glibc-2.12.1-but-I-am-an-i686.patch | 22 - glibc-2.12.1-fix-IPTOS_CLASS-definition.patch | 34 -- glibc-2.12.1-make-3.82-compatibility.patch | 29 - glibc-2.12.1-never-expand-origin-when-privileged.patch | 85 ----- glibc-2.12.1-require-suid-on-audit.patch | 218 --------------- glibc-2.12.2-ignore-origin-of-privileged-program.patch | 26 + glibc.install | 5 8 files changed, 52 insertions(+), 437 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2010-12-17 00:51:31 UTC (rev 103260) +++ PKGBUILD 2010-12-17 00:55:50 UTC (rev 103261) @@ -1,22 +1,20 @@ # $Id$ -# Maintainer: Jan de Groot <[email protected]> # Maintainer: Allan McRae <[email protected]> # toolchain build order: linux-api-headers->glibc->binutils->gcc->binutils->glibc # NOTE: valgrind requires rebuilt with each new glibc version pkgname=glibc -pkgver=2.12.1 -pkgrel=4 -_glibcdate=20101025 +pkgver=2.12.2 +pkgrel=1 +_glibcdate=20101214 pkgdesc="GNU C Library" arch=('i686' 'x86_64') url="http://www.gnu.org/software/libc"; license=('GPL' 'LGPL') groups=('base') -depends=('linux-api-headers>=2.6.34' 'tzdata') +depends=('linux-api-headers>=2.6.36.2' 'tzdata') makedepends=('gcc>=4.4') -replaces=('glibc-xen') backup=(etc/locale.gen etc/nscd.conf) options=('!strip') @@ -25,25 +23,17 @@ glibc-2.10-dont-build-timezone.patch glibc-2.10-bz4781.patch glibc-__i686.patch - glibc-2.12.1-make-3.82-compatibility.patch glibc-2.12.1-static-shared-getpagesize.patch - glibc-2.12.1-but-I-am-an-i686.patch - glibc-2.12.1-fix-IPTOS_CLASS-definition.patch - glibc-2.12.1-never-expand-origin-when-privileged.patch - glibc-2.12.1-require-suid-on-audit.patch + glibc-2.12.2-ignore-origin-of-privileged-program.patch nscd locale.gen.txt locale-gen) -md5sums=('b12192eff7306f2a6e919641b847e7cf' +md5sums=('e2d03fb95c9f838177284192dea063dc' '4dadb9203b69a3210d53514bb46f41c3' '0c5540efc51c0b93996c51b57a8540ae' '40cd342e21f71f5e49e32622b25acc52' - '1deecaa78c0909f7175732da2af796b5' 'a3ac6f318d680347bb6e2805d42b73b2' - 'de17165e3fa721c4e056dacfc9ee1e52' - 'fdc0908c9971fcf9b32e1185954b6eeb' - 'e154dbe21d4e24968ab257ffd9c106f2' - 'bbc99319ad78fe9eb1ac217efc770ac6' + 'b042647ea7d6f22ad319e12e796bd13e' 'b587ee3a70c9b3713099295609afde49' '07ac979b6ab5eeb778d55f041529d623' '476e9113489f93b348b21e144b6a8fcf') @@ -51,7 +41,7 @@ mksource() { git clone git://sourceware.org/git/glibc.git pushd glibc - git checkout -b glibc-2.12-arch origin/release/2.12/master + git checkout -b glibc-2.12-arch origin/release/2.12/master || return 1 popd tar -cvJf glibc-${pkgver}_${_glibcdate}.tar.xz glibc/* } @@ -69,31 +59,18 @@ # http://sourceware.org/ml/libc-alpha/2009-07/msg00072.html patch -Np1 -i ${srcdir}/glibc-__i686.patch - # http://sourceware.org/git/?p=glibc.git;a=patch;h=32cf4069 - patch -Np1 -i ${srcdir}/glibc-2.12.1-make-3.82-compatibility.patch - # http://sourceware.org/bugzilla/show_bug.cgi?id=11929 # using Fedora "fix" as patch in that bug report causes breakages... patch -Np1 -i ${srcdir}/glibc-2.12.1-static-shared-getpagesize.patch - - # fedora "fix" for excess linker optimization on i686 - # proper fix will be in binutils-2.21 - patch -Np1 -i ${srcdir}/glibc-2.12.1-but-I-am-an-i686.patch # http://www.exploit-db.com/exploits/15274/ - # http://sourceware.org/git/?p=glibc.git;a=patch;h=2232b90f (only fedora branch...) - patch -Np1 -i ${srcdir}/glibc-2.12.1-never-expand-origin-when-privileged.patch + # http://sourceware.org/git/?p=glibc.git;a=patch;h=d14e6b09 (only fedora branch...) + patch -Np1 -i ${srcdir}/glibc-2.12.2-ignore-origin-of-privileded-program.patch - # http://www.exploit-db.com/exploits/15304/ - # http://sourceware.org/git/?p=glibc.git;a=patch;h=8e9f92e9 - patch -Np1 -i ${srcdir}/glibc-2.12.1-require-suid-on-audit.patch - - # http://sources.redhat.com/git/?p=glibc.git;a=patch;h=15bac72b - patch -Np1 -i ${srcdir}/glibc-2.12.1-fix-IPTOS_CLASS-definition.patch - install -dm755 ${pkgdir}/etc touch ${pkgdir}/etc/ld.so.conf + cd ${srcdir} mkdir glibc-build cd glibc-build @@ -104,12 +81,15 @@ echo "slibdir=/lib" >> configparms - ../configure --prefix=/usr \ - --enable-add-ons=nptl,libidn --without-cvs \ - --enable-kernel=2.6.18 --disable-profile \ - --with-headers=/usr/include --libexecdir=/usr/lib \ - --enable-bind-now --with-tls --with-__thread \ - --libdir=/usr/lib --without-gd --disable-multi-arch + ${srcdir}/glibc/configure --prefix=/usr \ + --libdir=/usr/lib --libexecdir=/usr/lib \ + --with-headers=/usr/include \ + --enable-add-ons=nptl,libidn \ + --enable-kernel=2.6.27 \ + --with-tls --with-__thread \ + --enable-bind-now --without-gd \ + --without-cvs --disable-profile \ + --disable-multi-arch make @@ -118,20 +98,18 @@ } package() { - cd ${srcdir}/glibc/glibc-build + cd ${srcdir}/glibc-build make install_root=${pkgdir} install - # provided by kernel-headers - rm ${pkgdir}/usr/include/scsi/scsi.h + rm ${pkgdir}/etc/ld.so.{cache,conf} - rm ${pkgdir}/etc/ld.so.conf - install -dm755 ${pkgdir}/etc/rc.d install -dm755 ${pkgdir}/usr/sbin install -dm755 ${pkgdir}/usr/lib/locale install -m644 ${srcdir}/glibc/nscd/nscd.conf ${pkgdir}/etc/nscd.conf install -m755 ${srcdir}/nscd ${pkgdir}/etc/rc.d/nscd install -m755 ${srcdir}/locale-gen ${pkgdir}/usr/sbin + install -m755 ${srcdir}/glibc/posix/gai.conf ${pkgdir}/etc/gai.conf sed -i -e 's/^\tserver-user/#\tserver-user/' ${pkgdir}/etc/nscd.conf @@ -146,7 +124,7 @@ if [[ ${CARCH} = "x86_64" ]]; then # fix for the linker sed -i '/RTLDLIST/s%lib64%lib%' ${pkgdir}/usr/bin/ldd - #Comply with multilib binaries, they look for the linker in /lib64 + # Comply with multilib binaries, they look for the linker in /lib64 mkdir ${pkgdir}/lib64 cd ${pkgdir}/lib64 ln -v -s ../lib/ld* . Deleted: glibc-2.12.1-but-I-am-an-i686.patch =================================================================== --- glibc-2.12.1-but-I-am-an-i686.patch 2010-12-17 00:51:31 UTC (rev 103260) +++ glibc-2.12.1-but-I-am-an-i686.patch 2010-12-17 00:55:50 UTC (rev 103261) @@ -1,22 +0,0 @@ ---- glibc-2.12-62-gb08c89d/sysdeps/i386/i686/Makefile -+++ glibc-2.12.90-6/sysdeps/i386/i686/Makefile -@@ -9,19 +9,3 @@ stack-align-test-flags += -msse - ifeq ($(subdir),string) - sysdep_routines += cacheinfo - endif -- --ifeq (yes,$(config-asflags-i686)) --CFLAGS-.o += -Wa,-mtune=i686 --CFLAGS-.os += -Wa,-mtune=i686 --CFLAGS-.op += -Wa,-mtune=i686 --CFLAGS-.og += -Wa,-mtune=i686 --CFLAGS-.ob += -Wa,-mtune=i686 --CFLAGS-.oS += -Wa,-mtune=i686 -- --ASFLAGS-.o += -Wa,-mtune=i686 --ASFLAGS-.os += -Wa,-mtune=i686 --ASFLAGS-.op += -Wa,-mtune=i686 --ASFLAGS-.og += -Wa,-mtune=i686 --ASFLAGS-.ob += -Wa,-mtune=i686 --ASFLAGS-.oS += -Wa,-mtune=i686 --endif Deleted: glibc-2.12.1-fix-IPTOS_CLASS-definition.patch =================================================================== --- glibc-2.12.1-fix-IPTOS_CLASS-definition.patch 2010-12-17 00:51:31 UTC (rev 103260) +++ glibc-2.12.1-fix-IPTOS_CLASS-definition.patch 2010-12-17 00:55:50 UTC (rev 103261) @@ -1,34 +0,0 @@ -From 15bac72bac03faeb3b725b1d208c62160f0c3ad7 Mon Sep 17 00:00:00 2001 -From: Ulrich Drepper <[email protected]> -Date: Wed, 11 Aug 2010 07:44:03 -0700 -Subject: [PATCH] Fix IPTOS_CLASS definition. - ---- - ChangeLog | 4 ++++ - NEWS | 4 ++-- - sysdeps/generic/netinet/ip.h | 5 ++--- - 3 files changed, 8 insertions(+), 5 deletions(-) - -diff --git a/sysdeps/generic/netinet/ip.h b/sysdeps/generic/netinet/ip.h -index a837b98..4955fee 100644 ---- a/sysdeps/generic/netinet/ip.h -+++ b/sysdeps/generic/netinet/ip.h -@@ -1,5 +1,4 @@ --/* Copyright (C) 1991,92,93,95,96,97,98,99,2000,2009 Free Software -- Foundation, Inc. -+/* Copyright (C) 1991-1993,1995-2000,2009,2010 Free Software Foundation, Inc. - This file is part of the GNU C Library. - - The GNU C Library is free software; you can redistribute it and/or -@@ -194,7 +193,7 @@ struct ip_timestamp - */ - - #define IPTOS_CLASS_MASK 0xe0 --#define IPTOS_CLASS(class) ((tos) & IPTOS_CLASS_MASK) -+#define IPTOS_CLASS(class) ((class) & IPTOS_CLASS_MASK) - #define IPTOS_CLASS_CS0 0x00 - #define IPTOS_CLASS_CS1 0x20 - #define IPTOS_CLASS_CS2 0x40 --- -1.7.2 - Deleted: glibc-2.12.1-make-3.82-compatibility.patch =================================================================== --- glibc-2.12.1-make-3.82-compatibility.patch 2010-12-17 00:51:31 UTC (rev 103260) +++ glibc-2.12.1-make-3.82-compatibility.patch 2010-12-17 00:55:50 UTC (rev 103261) @@ -1,29 +0,0 @@ -From 32cf40699346d37fabfa887bbd95e95004799ae1 Mon Sep 17 00:00:00 2001 -From: Andreas Schwab <[email protected]> -Date: Mon, 6 Sep 2010 14:55:59 +0200 -Subject: [PATCH 1/1] Don't mix pattern rules with normal rules - ---- - ChangeLog | 4 ++++ - manual/Makefile | 5 ++++- - 2 files changed, 8 insertions(+), 1 deletions(-) - -diff --git a/manual/Makefile b/manual/Makefile -index c5866eb..b1f5fa7 100644 ---- a/manual/Makefile -+++ b/manual/Makefile -@@ -232,7 +232,10 @@ ifdef objpfx - .PHONY: stubs - stubs: $(objpfx)stubs - endif --$(objpfx)stubs ../po/manual.pot $(objpfx)stamp%: -+$(objpfx)stubs ../po/manual.pot: -+ $(make-target-directory) -+ touch $@ -+$(objpfx)stamp%: - $(make-target-directory) - touch $@ - --- -1.7.2 - Deleted: glibc-2.12.1-never-expand-origin-when-privileged.patch =================================================================== --- glibc-2.12.1-never-expand-origin-when-privileged.patch 2010-12-17 00:51:31 UTC (rev 103260) +++ glibc-2.12.1-never-expand-origin-when-privileged.patch 2010-12-17 00:55:50 UTC (rev 103261) @@ -1,85 +0,0 @@ -From 2232b90f0bd3a41b4d63cac98a5b60abbfaccd46 Mon Sep 17 00:00:00 2001 -From: Andreas Schwab <[email protected]> -Date: Mon, 18 Oct 2010 11:46:00 +0200 -Subject: [PATCH] Never expand $ORIGIN in privileged programs - ---- - ChangeLog | 6 ++++++ - elf/dl-load.c | 30 +++++++++++++----------------- - 2 files changed, 19 insertions(+), 17 deletions(-) - -diff --git a/elf/dl-load.c b/elf/dl-load.c -index 0adddf5..1cc6f25 100644 ---- a/elf/dl-load.c -+++ b/elf/dl-load.c -@@ -169,8 +169,7 @@ local_strdup (const char *s) - - - static size_t --is_dst (const char *start, const char *name, const char *str, -- int is_path, int secure) -+is_dst (const char *start, const char *name, const char *str, int is_path) - { - size_t len; - bool is_curly = false; -@@ -199,11 +198,6 @@ is_dst (const char *start, const char *name, const char *str, - && (!is_path || name[len] != ':')) - return 0; - -- if (__builtin_expect (secure, 0) -- && ((name[len] != '\0' && (!is_path || name[len] != ':')) -- || (name != start + 1 && (!is_path || name[-2] != ':')))) -- return 0; -- - return len; - } - -@@ -218,13 +212,12 @@ _dl_dst_count (const char *name, int is_path) - { - size_t len; - -- /* $ORIGIN is not expanded for SUID/GUID programs (except if it -- is $ORIGIN alone) and it must always appear first in path. */ -+ /* $ORIGIN is not expanded for SUID/GUID programs. */ - ++name; -- if ((len = is_dst (start, name, "ORIGIN", is_path, -- INTUSE(__libc_enable_secure))) != 0 -- || (len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0 -- || (len = is_dst (start, name, "LIB", is_path, 0)) != 0) -+ if (((len = is_dst (start, name, "ORIGIN", is_path)) != 0 -+ && !INTUSE(__libc_enable_secure)) -+ || (len = is_dst (start, name, "PLATFORM", is_path)) != 0 -+ || (len = is_dst (start, name, "LIB", is_path)) != 0) - ++cnt; - - name = strchr (name + len, '$'); -@@ -256,9 +249,12 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result, - size_t len; - - ++name; -- if ((len = is_dst (start, name, "ORIGIN", is_path, -- INTUSE(__libc_enable_secure))) != 0) -+ if ((len = is_dst (start, name, "ORIGIN", is_path)) != 0) - { -+ /* Ignore this path element in SUID/SGID programs. */ -+ if (INTUSE(__libc_enable_secure)) -+ repl = (const char *) -1; -+ else - #ifndef SHARED - if (l == NULL) - repl = _dl_get_origin (); -@@ -266,9 +262,9 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result, - #endif - repl = l->l_origin; - } -- else if ((len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0) -+ else if ((len = is_dst (start, name, "PLATFORM", is_path)) != 0) - repl = GLRO(dl_platform); -- else if ((len = is_dst (start, name, "LIB", is_path, 0)) != 0) -+ else if ((len = is_dst (start, name, "LIB", is_path)) != 0) - repl = DL_DST_LIB; - - if (repl != NULL && repl != (const char *) -1) --- -1.7.2 - Deleted: glibc-2.12.1-require-suid-on-audit.patch =================================================================== --- glibc-2.12.1-require-suid-on-audit.patch 2010-12-17 00:51:31 UTC (rev 103260) +++ glibc-2.12.1-require-suid-on-audit.patch 2010-12-17 00:55:50 UTC (rev 103261) @@ -1,218 +0,0 @@ -From 8e9f92e9d5d7737afdacf79b76d98c4c42980508 Mon Sep 17 00:00:00 2001 -From: Andreas Schwab <[email protected]> -Date: Sun, 24 Oct 2010 21:43:15 -0400 -Subject: [PATCH 1/1] Require suid bit on audit objects in privileged programs - ---- - ChangeLog | 15 +++++++++++++++ - elf/dl-deps.c | 2 +- - elf/dl-load.c | 20 +++++++++++--------- - elf/dl-open.c | 2 +- - elf/rtld.c | 16 +++++++--------- - include/dlfcn.h | 1 + - sysdeps/generic/ldsodefs.h | 6 ++---- - 7 files changed, 38 insertions(+), 24 deletions(-) - -diff --git a/elf/dl-deps.c b/elf/dl-deps.c -index a58de5c..a51fb6e 100644 ---- a/elf/dl-deps.c -+++ b/elf/dl-deps.c -@@ -62,7 +62,7 @@ openaux (void *a) - { - struct openaux_args *args = (struct openaux_args *) a; - -- args->aux = _dl_map_object (args->map, args->name, 0, -+ args->aux = _dl_map_object (args->map, args->name, - (args->map->l_type == lt_executable - ? lt_library : args->map->l_type), - args->trace_mode, args->open_mode, -diff --git a/elf/dl-load.c b/elf/dl-load.c -index a7162eb..aa8738f 100644 ---- a/elf/dl-load.c -+++ b/elf/dl-load.c -@@ -1812,7 +1812,7 @@ open_verify (const char *name, struct filebuf *fbp, struct link_map *loader, - if MAY_FREE_DIRS is true. */ - - static int --open_path (const char *name, size_t namelen, int preloaded, -+open_path (const char *name, size_t namelen, int secure, - struct r_search_path_struct *sps, char **realname, - struct filebuf *fbp, struct link_map *loader, int whatcode, - bool *found_other_class) -@@ -1894,7 +1894,7 @@ open_path (const char *name, size_t namelen, int preloaded, - /* Remember whether we found any existing directory. */ - here_any |= this_dir->status[cnt] != nonexisting; - -- if (fd != -1 && __builtin_expect (preloaded, 0) -+ if (fd != -1 && __builtin_expect (secure, 0) - && INTUSE(__libc_enable_secure)) - { - /* This is an extra security effort to make sure nobody can -@@ -1963,7 +1963,7 @@ open_path (const char *name, size_t namelen, int preloaded, - - struct link_map * - internal_function --_dl_map_object (struct link_map *loader, const char *name, int preloaded, -+_dl_map_object (struct link_map *loader, const char *name, - int type, int trace_mode, int mode, Lmid_t nsid) - { - int fd; -@@ -2067,7 +2067,8 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded, - for (l = loader; l; l = l->l_loader) - if (cache_rpath (l, &l->l_rpath_dirs, DT_RPATH, "RPATH")) - { -- fd = open_path (name, namelen, preloaded, &l->l_rpath_dirs, -+ fd = open_path (name, namelen, mode & __RTLD_SECURE, -+ &l->l_rpath_dirs, - &realname, &fb, loader, LA_SER_RUNPATH, - &found_other_class); - if (fd != -1) -@@ -2082,14 +2083,15 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded, - && main_map != NULL && main_map->l_type != lt_loaded - && cache_rpath (main_map, &main_map->l_rpath_dirs, DT_RPATH, - "RPATH")) -- fd = open_path (name, namelen, preloaded, &main_map->l_rpath_dirs, -+ fd = open_path (name, namelen, mode & __RTLD_SECURE, -+ &main_map->l_rpath_dirs, - &realname, &fb, loader ?: main_map, LA_SER_RUNPATH, - &found_other_class); - } - - /* Try the LD_LIBRARY_PATH environment variable. */ - if (fd == -1 && env_path_list.dirs != (void *) -1) -- fd = open_path (name, namelen, preloaded, &env_path_list, -+ fd = open_path (name, namelen, mode & __RTLD_SECURE, &env_path_list, - &realname, &fb, - loader ?: GL(dl_ns)[LM_ID_BASE]._ns_loaded, - LA_SER_LIBPATH, &found_other_class); -@@ -2098,12 +2100,12 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded, - if (fd == -1 && loader != NULL - && cache_rpath (loader, &loader->l_runpath_dirs, - DT_RUNPATH, "RUNPATH")) -- fd = open_path (name, namelen, preloaded, -+ fd = open_path (name, namelen, mode & __RTLD_SECURE, - &loader->l_runpath_dirs, &realname, &fb, loader, - LA_SER_RUNPATH, &found_other_class); - - if (fd == -1 -- && (__builtin_expect (! preloaded, 1) -+ && (__builtin_expect (! (mode & __RTLD_SECURE), 1) - || ! INTUSE(__libc_enable_secure))) - { - /* Check the list of libraries in the file /etc/ld.so.cache, -@@ -2169,7 +2171,7 @@ _dl_map_object (struct link_map *loader, const char *name, int preloaded, - && ((l = loader ?: GL(dl_ns)[nsid]._ns_loaded) == NULL - || __builtin_expect (!(l->l_flags_1 & DF_1_NODEFLIB), 1)) - && rtld_search_dirs.dirs != (void *) -1) -- fd = open_path (name, namelen, preloaded, &rtld_search_dirs, -+ fd = open_path (name, namelen, mode & __RTLD_SECURE, &rtld_search_dirs, - &realname, &fb, l, LA_SER_DEFAULT, &found_other_class); - - /* Add another newline when we are tracing the library loading. */ -diff --git a/elf/dl-open.c b/elf/dl-open.c -index c394b3f..cf8e8cc 100644 ---- a/elf/dl-open.c -+++ b/elf/dl-open.c -@@ -223,7 +223,7 @@ dl_open_worker (void *a) - - /* Load the named object. */ - struct link_map *new; -- args->map = new = _dl_map_object (call_map, file, 0, lt_loaded, 0, -+ args->map = new = _dl_map_object (call_map, file, lt_loaded, 0, - mode | __RTLD_CALLMAP, args->nsid); - - /* If the pointer returned is NULL this means the RTLD_NOLOAD flag is -diff --git a/elf/rtld.c b/elf/rtld.c -index 5ecc4fe..06b534a 100644 ---- a/elf/rtld.c -+++ b/elf/rtld.c -@@ -589,7 +589,6 @@ struct map_args - /* Argument to map_doit. */ - char *str; - struct link_map *loader; -- int is_preloaded; - int mode; - /* Return value of map_doit. */ - struct link_map *map; -@@ -627,16 +626,17 @@ static void - map_doit (void *a) - { - struct map_args *args = (struct map_args *) a; -- args->map = _dl_map_object (args->loader, args->str, -- args->is_preloaded, lt_library, 0, args->mode, -- LM_ID_BASE); -+ args->map = _dl_map_object (args->loader, args->str, lt_library, 0, -+ args->mode, LM_ID_BASE); - } - - static void - dlmopen_doit (void *a) - { - struct dlmopen_args *args = (struct dlmopen_args *) a; -- args->map = _dl_open (args->fname, RTLD_LAZY | __RTLD_DLOPEN | __RTLD_AUDIT, -+ args->map = _dl_open (args->fname, -+ (RTLD_LAZY | __RTLD_DLOPEN | __RTLD_AUDIT -+ | __RTLD_SECURE), - dl_main, LM_ID_NEWLM, _dl_argc, INTUSE(_dl_argv), - __environ); - } -@@ -806,8 +806,7 @@ do_preload (char *fname, struct link_map *main_map, const char *where) - - args.str = fname; - args.loader = main_map; -- args.is_preloaded = 1; -- args.mode = 0; -+ args.mode = __RTLD_SECURE; - - unsigned int old_nloaded = GL(dl_ns)[LM_ID_BASE]._ns_nloaded; - -@@ -1054,7 +1053,6 @@ of this helper program; chances are you did not intend to run this program.\n\ - - args.str = rtld_progname; - args.loader = NULL; -- args.is_preloaded = 0; - args.mode = __RTLD_OPENEXEC; - (void) _dl_catch_error (&objname, &err_str, &malloced, map_doit, - &args); -@@ -1066,7 +1064,7 @@ of this helper program; chances are you did not intend to run this program.\n\ - else - { - HP_TIMING_NOW (start); -- _dl_map_object (NULL, rtld_progname, 0, lt_library, 0, -+ _dl_map_object (NULL, rtld_progname, lt_library, 0, - __RTLD_OPENEXEC, LM_ID_BASE); - HP_TIMING_NOW (stop); - -diff --git a/include/dlfcn.h b/include/dlfcn.h -index a67426d..af92483 100644 ---- a/include/dlfcn.h -+++ b/include/dlfcn.h -@@ -9,6 +9,7 @@ - #define __RTLD_OPENEXEC 0x20000000 - #define __RTLD_CALLMAP 0x10000000 - #define __RTLD_AUDIT 0x08000000 -+#define __RTLD_SECURE 0x04000000 /* Apply additional security checks. */ - - #define __LM_ID_CALLER -2 - -diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h -index fcc943b..fa4b6b2 100644 ---- a/sysdeps/generic/ldsodefs.h -+++ b/sysdeps/generic/ldsodefs.h -@@ -824,11 +824,9 @@ extern void _dl_receive_error (receiver_fct fct, void (*operate) (void *), - - /* Open the shared object NAME and map in its segments. - LOADER's DT_RPATH is used in searching for NAME. -- If the object is already opened, returns its existing map. -- For preloaded shared objects PRELOADED is set to a non-zero -- value to allow additional security checks. */ -+ If the object is already opened, returns its existing map. */ - extern struct link_map *_dl_map_object (struct link_map *loader, -- const char *name, int preloaded, -+ const char *name, - int type, int trace_mode, int mode, - Lmid_t nsid) - internal_function attribute_hidden; --- -1.7.2 - Added: glibc-2.12.2-ignore-origin-of-privileged-program.patch =================================================================== --- glibc-2.12.2-ignore-origin-of-privileged-program.patch (rev 0) +++ glibc-2.12.2-ignore-origin-of-privileged-program.patch 2010-12-17 00:55:50 UTC (rev 103261) @@ -0,0 +1,26 @@ +From d14e6b09d60d52cc12f0396c3106b14e1bd0fe8f Mon Sep 17 00:00:00 2001 +From: Andreas Schwab <[email protected]> +Date: Thu, 9 Dec 2010 15:00:59 +0100 +Subject: [PATCH 1/1] Ignore origin of privileged program + +--- + ChangeLog | 5 +++++ + elf/dl-object.c | 3 +++ + 2 files changed, 8 insertions(+), 0 deletions(-) + +diff --git a/elf/dl-object.c b/elf/dl-object.c +index 22a1635..7674d49 100644 +--- a/elf/dl-object.c ++++ b/elf/dl-object.c +@@ -214,6 +214,9 @@ _dl_new_object (char *realname, const char *libname, int type, + out: + new->l_origin = origin; + } ++ else if (INTUSE(__libc_enable_secure) && type == lt_executable) ++ /* The origin of a privileged program cannot be trusted. */ ++ new->l_origin = (char *) -1; + + return new; + } +-- +1.7.2 Modified: glibc.install =================================================================== --- glibc.install 2010-12-17 00:51:31 UTC (rev 103260) +++ glibc.install 2010-12-17 00:55:50 UTC (rev 103261) @@ -1,6 +1,5 @@ -infodir=/usr/share/info -filelist=(libc.info libc.info-1 libc.info-2 libc.info-3 libc.info-4 libc.info-5 libc.info-6 libc.info-7 - libc.info-8 libc.info-9 libc.info-10 libc.info-11) +infodir=usr/share/info +filelist=(libc.info{,-1,-2,-3,-4,-5,-6,-7,-8,-9,-10,-11}) post_upgrade() { sbin/ldconfig -r .
