Author: arekm Date: Sun Dec 19 09:27:28 2010 GMT Module: packages Tag: HEAD ---- Log message: - simpler version from glibc fedora branch
---- Files affected: packages/glibc: glibc-origin.patch (1.1 -> 1.2) ---- Diffs: ================================================================ Index: packages/glibc/glibc-origin.patch diff -u packages/glibc/glibc-origin.patch:1.1 packages/glibc/glibc-origin.patch:1.2 --- packages/glibc/glibc-origin.patch:1.1 Tue Oct 19 17:46:52 2010 +++ packages/glibc/glibc-origin.patch Sun Dec 19 10:27:23 2010 @@ -1,76 +1,26 @@ -;2010-10-18 Andreas Schwab <[email protected]> -; -; * elf/dl-load.c (is_dst): Remove last parameter. -; (_dl_dst_count): Ignore $ORIGIN in privileged programs. -; (_dl_dst_substitute): Likewise. ---- glibc-2.12.1-7-gfc0ed7b/elf/dl-load.c -+++ glibc-2.12.1-3/elf/dl-load.c -@@ -169,8 +169,7 @@ local_strdup (const char *s) - - - static size_t --is_dst (const char *start, const char *name, const char *str, -- int is_path, int secure) -+is_dst (const char *start, const char *name, const char *str, int is_path) - { - size_t len; - bool is_curly = false; -@@ -199,11 +198,6 @@ is_dst (const char *start, const char *name, const char *str, - && (!is_path || name[len] != ':')) - return 0; +From d14e6b09d60d52cc12f0396c3106b14e1bd0fe8f Mon Sep 17 00:00:00 2001 +From: Andreas Schwab <[email protected]> +Date: Thu, 9 Dec 2010 15:00:59 +0100 +Subject: [PATCH 1/1] Ignore origin of privileged program + +--- + ChangeLog | 5 +++++ + elf/dl-object.c | 3 +++ + 2 files changed, 8 insertions(+), 0 deletions(-) + +diff --git a/elf/dl-object.c b/elf/dl-object.c +index 22a1635..7674d49 100644 +--- a/elf/dl-object.c ++++ b/elf/dl-object.c +@@ -214,6 +214,9 @@ _dl_new_object (char *realname, const char *libname, int type, + out: + new->l_origin = origin; + } ++ else if (INTUSE(__libc_enable_secure) && type == lt_executable) ++ /* The origin of a privileged program cannot be trusted. */ ++ new->l_origin = (char *) -1; -- if (__builtin_expect (secure, 0) -- && ((name[len] != '\0' && (!is_path || name[len] != ':')) -- || (name != start + 1 && (!is_path || name[-2] != ':')))) -- return 0; -- - return len; + return new; } - -@@ -218,13 +212,12 @@ _dl_dst_count (const char *name, int is_path) - { - size_t len; - -- /* $ORIGIN is not expanded for SUID/GUID programs (except if it -- is $ORIGIN alone) and it must always appear first in path. */ -+ /* $ORIGIN is not expanded for SUID/GUID programs. */ - ++name; -- if ((len = is_dst (start, name, "ORIGIN", is_path, -- INTUSE(__libc_enable_secure))) != 0 -- || (len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0 -- || (len = is_dst (start, name, "LIB", is_path, 0)) != 0) -+ if (((len = is_dst (start, name, "ORIGIN", is_path)) != 0 -+ && !INTUSE(__libc_enable_secure)) -+ || (len = is_dst (start, name, "PLATFORM", is_path)) != 0 -+ || (len = is_dst (start, name, "LIB", is_path)) != 0) - ++cnt; - - name = strchr (name + len, '$'); -@@ -256,9 +249,12 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result, - size_t len; - - ++name; -- if ((len = is_dst (start, name, "ORIGIN", is_path, -- INTUSE(__libc_enable_secure))) != 0) -+ if ((len = is_dst (start, name, "ORIGIN", is_path)) != 0) - { -+ /* Ignore this path element in SUID/SGID programs. */ -+ if (INTUSE(__libc_enable_secure)) -+ repl = (const char *) -1; -+ else - #ifndef SHARED - if (l == NULL) - repl = _dl_get_origin (); -@@ -266,9 +262,9 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result, - #endif - repl = l->l_origin; - } -- else if ((len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0) -+ else if ((len = is_dst (start, name, "PLATFORM", is_path)) != 0) - repl = GLRO(dl_platform); -- else if ((len = is_dst (start, name, "LIB", is_path, 0)) != 0) -+ else if ((len = is_dst (start, name, "LIB", is_path)) != 0) - repl = DL_DST_LIB; - - if (repl != NULL && repl != (const char *) -1) - +-- +1.7.2 ================================================================ ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/glibc/glibc-origin.patch?r1=1.1&r2=1.2&f=u _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
