Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path
* Aurelien Jarno: I have just committed the fix, I am planning to do an upload soon to unstable. Do you think we should also fix it in stable? via a security release? FYI, I have uploaded eglibc 2.11.2-6+squeeze1 to testing-security. -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87vd4usmme@mid.deneb.enyo.de
Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path
On Thu, Oct 21, 2010 at 03:43:59PM -0400, Michael Gilbert wrote: On Thu, 21 Oct 2010 19:36:04 +0200, Aurelien Jarno wrote: On Mon, Oct 18, 2010 at 06:58:45PM -0400, Michael Gilbert wrote: package: eglibc version: 2.11.2-6 severity: grave tag: patch an issue has been disclosed in eglibc. see: http://seclists.org/fulldisclosure/2010/Oct/257 patch available: http://sourceware.org/ml/libc-hacker/2010-10/msg7.html I have just committed the fix, I am planning to do an upload soon to unstable. Do you think we should also fix it in stable? via a security release? the exploitability of this issue is questionable, but i think it should be fixed in a DSA just to be safe (based on the precautionary principle). thanks for working on the fix. Ok, then I'll work on a stable upload after doing the unstable upload. Unfortunately I don't have a lot of time to spend on Debian currently. Also note that given the glibc is not built with -DNDEBUG on Debian, it seems it is not vulnerable. At least an assert is triggered when trying the exploit instead of becoming root. -- Aurelien Jarno GPG: 1024D/F1BCDB73 aurel...@aurel32.net http://www.aurel32.net -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101022080427.ga8...@hall.aurel32.net
Processing of glibc_2.7-18lenny6_amd64.changes
glibc_2.7-18lenny6_amd64.changes uploaded successfully to localhost along with the files: glibc-doc_2.7-18lenny6_all.deb glibc-source_2.7-18lenny6_all.deb locales_2.7-18lenny6_all.deb libc6_2.7-18lenny6_amd64.deb libc6-dev_2.7-18lenny6_amd64.deb libc6-prof_2.7-18lenny6_amd64.deb libc6-pic_2.7-18lenny6_amd64.deb locales-all_2.7-18lenny6_amd64.deb libc6-i386_2.7-18lenny6_amd64.deb libc6-dev-i386_2.7-18lenny6_amd64.deb nscd_2.7-18lenny6_amd64.deb libc6-dbg_2.7-18lenny6_amd64.deb libc6-udeb_2.7-18lenny6_amd64.udeb libnss-dns-udeb_2.7-18lenny6_amd64.udeb libnss-files-udeb_2.7-18lenny6_amd64.udeb Greetings, Your Debian queue daemon (running on host franck.debian.org) -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1p9ljs-00015f...@franck.debian.org
Processing of glibc_2.7-18lenny6_source.changes
glibc_2.7-18lenny6_source.changes uploaded successfully to localhost along with the files: glibc_2.7-18lenny6.dsc glibc_2.7-18lenny6.diff.gz Greetings, Your Debian queue daemon (running on host franck.debian.org) -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1p9ljt-00016y...@franck.debian.org
glibc_2.7-18lenny6_source.changes REJECTED
Reject Reasons: source only uploads are not supported. Notes: Mapping stable-security to proposed-updates. === Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns. -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1p9lua-0003zi...@franck.debian.org
glibc_2.7-18lenny6_amd64.changes REJECTED
Reject Reasons: no source found for glibc 2.7-18lenny6 (libc6-prof_2.7-18lenny6_amd64.deb). no source found for glibc 2.7-18lenny6 (locales_2.7-18lenny6_all.deb). no source found for glibc 2.7-18lenny6 (libc6_2.7-18lenny6_amd64.deb). no source found for glibc 2.7-18lenny6 (libc6-dev_2.7-18lenny6_amd64.deb). no source found for glibc 2.7-18lenny6 (libc6-pic_2.7-18lenny6_amd64.deb). no source found for glibc 2.7-18lenny6 (libnss-dns-udeb_2.7-18lenny6_amd64.udeb). no source found for glibc 2.7-18lenny6 (libnss-files-udeb_2.7-18lenny6_amd64.udeb). no source found for glibc 2.7-18lenny6 (glibc-doc_2.7-18lenny6_all.deb). no source found for glibc 2.7-18lenny6 (libc6-i386_2.7-18lenny6_amd64.deb). no source found for glibc 2.7-18lenny6 (nscd_2.7-18lenny6_amd64.deb). no source found for glibc 2.7-18lenny6 (libc6-dev-i386_2.7-18lenny6_amd64.deb). no source found for glibc 2.7-18lenny6 (glibc-source_2.7-18lenny6_all.deb). no source found for glibc 2.7-18lenny6 (locales-all_2.7-18lenny6_amd64.deb). no source found for glibc 2.7-18lenny6 (libc6-udeb_2.7-18lenny6_amd64.udeb). no source found for glibc 2.7-18lenny6 (libc6-dbg_2.7-18lenny6_amd64.deb). Notes: Mapping stable-security to proposed-updates. === Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns. -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1p9lug-0003bf...@franck.debian.org
Processing of eglibc_2.11.2-6+squeeze1_amd64.changes
eglibc_2.11.2-6+squeeze1_amd64.changes uploaded successfully to localhost along with the files: eglibc_2.11.2-6+squeeze1.dsc eglibc_2.11.2.orig.tar.gz eglibc_2.11.2-6+squeeze1.diff.gz glibc-doc_2.11.2-6+squeeze1_all.deb eglibc-source_2.11.2-6+squeeze1_all.deb locales_2.11.2-6+squeeze1_all.deb libc6_2.11.2-6+squeeze1_amd64.deb libc6-dev_2.11.2-6+squeeze1_amd64.deb libc6-prof_2.11.2-6+squeeze1_amd64.deb libc6-pic_2.11.2-6+squeeze1_amd64.deb libc-bin_2.11.2-6+squeeze1_amd64.deb libc-dev-bin_2.11.2-6+squeeze1_amd64.deb locales-all_2.11.2-6+squeeze1_amd64.deb libc6-i386_2.11.2-6+squeeze1_amd64.deb libc6-dev-i386_2.11.2-6+squeeze1_amd64.deb nscd_2.11.2-6+squeeze1_amd64.deb libc6-dbg_2.11.2-6+squeeze1_amd64.deb libc6-udeb_2.11.2-6+squeeze1_amd64.udeb libnss-dns-udeb_2.11.2-6+squeeze1_amd64.udeb libnss-files-udeb_2.11.2-6+squeeze1_amd64.udeb Greetings, Your Debian queue daemon (running on host franck.debian.org) -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1p9lyi-0004pw...@franck.debian.org
Re: glibc_2.7-18lenny6_source.changes REJECTED
* Debian FTP Masters: Reject Reasons: source only uploads are not supported. Notes: Mapping stable-security to proposed-updates. Ahem. Should I upload a newer version to stable-proposed-updates, or is this a spurious error message? -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87sjzyruss@mid.deneb.enyo.de
eglibc_2.11.2-6+squeeze1_amd64.changes ACCEPTED into testing-proposed-updates
Warnings: Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable Propogating upload to unstable ignoring eglibc_2.11.2.orig.tar.gz, since it's already in the archive. Notes: Mapping testing-security to testing-proposed-updates. Accepted: eglibc-source_2.11.2-6+squeeze1_all.deb to main/e/eglibc/eglibc-source_2.11.2-6+squeeze1_all.deb eglibc_2.11.2-6+squeeze1.diff.gz to main/e/eglibc/eglibc_2.11.2-6+squeeze1.diff.gz eglibc_2.11.2-6+squeeze1.dsc to main/e/eglibc/eglibc_2.11.2-6+squeeze1.dsc glibc-doc_2.11.2-6+squeeze1_all.deb to main/e/eglibc/glibc-doc_2.11.2-6+squeeze1_all.deb libc-bin_2.11.2-6+squeeze1_amd64.deb to main/e/eglibc/libc-bin_2.11.2-6+squeeze1_amd64.deb libc-dev-bin_2.11.2-6+squeeze1_amd64.deb to main/e/eglibc/libc-dev-bin_2.11.2-6+squeeze1_amd64.deb libc6-dbg_2.11.2-6+squeeze1_amd64.deb to main/e/eglibc/libc6-dbg_2.11.2-6+squeeze1_amd64.deb libc6-dev-i386_2.11.2-6+squeeze1_amd64.deb to main/e/eglibc/libc6-dev-i386_2.11.2-6+squeeze1_amd64.deb libc6-dev_2.11.2-6+squeeze1_amd64.deb to main/e/eglibc/libc6-dev_2.11.2-6+squeeze1_amd64.deb libc6-i386_2.11.2-6+squeeze1_amd64.deb to main/e/eglibc/libc6-i386_2.11.2-6+squeeze1_amd64.deb libc6-pic_2.11.2-6+squeeze1_amd64.deb to main/e/eglibc/libc6-pic_2.11.2-6+squeeze1_amd64.deb libc6-prof_2.11.2-6+squeeze1_amd64.deb to main/e/eglibc/libc6-prof_2.11.2-6+squeeze1_amd64.deb libc6-udeb_2.11.2-6+squeeze1_amd64.udeb to main/e/eglibc/libc6-udeb_2.11.2-6+squeeze1_amd64.udeb libc6_2.11.2-6+squeeze1_amd64.deb to main/e/eglibc/libc6_2.11.2-6+squeeze1_amd64.deb libnss-dns-udeb_2.11.2-6+squeeze1_amd64.udeb to main/e/eglibc/libnss-dns-udeb_2.11.2-6+squeeze1_amd64.udeb libnss-files-udeb_2.11.2-6+squeeze1_amd64.udeb to main/e/eglibc/libnss-files-udeb_2.11.2-6+squeeze1_amd64.udeb locales-all_2.11.2-6+squeeze1_amd64.deb to main/e/eglibc/locales-all_2.11.2-6+squeeze1_amd64.deb locales_2.11.2-6+squeeze1_all.deb to main/e/eglibc/locales_2.11.2-6+squeeze1_all.deb nscd_2.11.2-6+squeeze1_amd64.deb to main/e/eglibc/nscd_2.11.2-6+squeeze1_amd64.deb Override entries for your package: eglibc-source_2.11.2-6+squeeze1_all.deb - optional devel eglibc_2.11.2-6+squeeze1.dsc - source libs glibc-doc_2.11.2-6+squeeze1_all.deb - optional doc libc-bin_2.11.2-6+squeeze1_amd64.deb - required libs libc-dev-bin_2.11.2-6+squeeze1_amd64.deb - optional libdevel libc6-dbg_2.11.2-6+squeeze1_amd64.deb - extra debug libc6-dev-i386_2.11.2-6+squeeze1_amd64.deb - optional libdevel libc6-dev_2.11.2-6+squeeze1_amd64.deb - optional libdevel libc6-i386_2.11.2-6+squeeze1_amd64.deb - standard libs libc6-pic_2.11.2-6+squeeze1_amd64.deb - optional libdevel libc6-prof_2.11.2-6+squeeze1_amd64.deb - extra libdevel libc6-udeb_2.11.2-6+squeeze1_amd64.udeb - extra debian-installer libc6_2.11.2-6+squeeze1_amd64.deb - required libs libnss-dns-udeb_2.11.2-6+squeeze1_amd64.udeb - extra debian-installer libnss-files-udeb_2.11.2-6+squeeze1_amd64.udeb - extra debian-installer locales-all_2.11.2-6+squeeze1_amd64.deb - extra libs locales_2.11.2-6+squeeze1_all.deb - standard localization nscd_2.11.2-6+squeeze1_amd64.deb - optional admin Announcing to debian-testing-chan...@lists.debian.org Thank you for your contribution to Debian. -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1p9lia-0005bg...@franck.debian.org
eglibc override disparity
There are disparities between your recently accepted upload and the override file for the following file(s): libc6-i386_2.11.2-6+squeeze1_amd64.deb: package says priority is optional, override says standard. locales-all_2.11.2-6+squeeze1_amd64.deb: package says section is localization, override says libs. Please note that a list of new sections were recently added to the archive: cli-mono, database, debug, fonts, gnu-r, gnustep, haskell, httpd, java, kernel, lisp, localization, ocaml, php, ruby, vcs, video, xfce, zope. At this time a script was used to reclassify packages into these sections. If this is the case, please only reply to this email if the new section is inappropriate, otherwise please update your package at the next upload. Either the package or the override file is incorrect. If you think the override is correct and the package wrong please fix the package so that this disparity is fixed in the next upload. If you feel the override is incorrect then please file a bug against ftp.debian.org and explain why. Please INCLUDE the list of packages as seen above, or we won't be able to deal with your request due to missing information. Please make sure that the subject of the bug you file follows the following format: Subject: override: BINARY1:section/priority, [...], BINARYX:section/priority Include the justification for the change in the body of the mail please. [NB: this is an automatically generated mail; if you already filed a bug and have not received a response yet, please ignore this mail. Your bug needs to be processed by a human and will be in due course, but until then the installer will send these automated mails; sorry.] -- Debian distribution maintenance software (This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1p9lid-0005bt...@franck.debian.org