From 2b83031a9cf9b9dce8fb62e6afb464c3a07264e4 Mon Sep 17 00:00:00 2001 From: Michael Olbrich Date: Wed, 4 Dec 2019 12:28:56 +0100 Subject: glibc: add upstream fix for CVE-2019-19126 Signed-off-by: Michael Olbrich --- ...__libc_enable_secure-before-honoring-LD_P.patch | 50 ++++++++++++++++++++++ patches/glibc-2.30/series | 3 +- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 patches/glibc-2.30/0001-rtld-Check-__libc_enable_secure-before-honoring-LD_P.patch diff --git a/patches/glibc-2.30/0001-rtld-Check-__libc_enable_secure-before-honoring-LD_P.patch b/patches/glibc-2.30/0001-rtld-Check-__libc_enable_secure-before-honoring-LD_P.patch new file mode 100644 index 0000000..951849f --- /dev/null +++ b/patches/glibc-2.30/0001-rtld-Check-__libc_enable_secure-before-honoring-LD_P.patch @@ -0,0 +1,50 @@ +From: =?UTF-8?q?Marcin=20Ko=C5=9Bcielnicki?= +Date: Thu, 21 Nov 2019 00:20:15 +0100 +Subject: [PATCH] rtld: Check __libc_enable_secure before honoring + LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] + +The problem was introduced in glibc 2.23, in commit +b9eb92ab05204df772eb4929eccd018637c9f3e9 +("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). + +(cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e) +--- + NEWS | 10 ++++++++++ + sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h | 3 ++- + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/NEWS b/NEWS +index ee9ed4de5a3f..ea2dd3c68721 100644 +--- a/NEWS ++++ b/NEWS +@@ -5,6 +5,16 @@ See the end for copying conditions. + Please send GNU C library bug reports via + using `glibc' in the "product" field. + ++Version 2.30.1 ++ ++Security related changes: ++ ++CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC ++ environment variable during program execution after a security ++ transition, allowing local attackers to restrict the possible mapping ++ addresses for loaded libraries and thus bypass ASLR for a setuid ++ program. Reported by Marcin Koƛcielnicki. ++ + Version 2.30 + + Major new features: +diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +index 975cbe2950e2..df2cdfdb6b32 100644 +--- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h ++++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +@@ -31,7 +31,8 @@ + environment variable, LD_PREFER_MAP_32BIT_EXEC. */ + #define EXTRA_LD_ENVVARS \ + case 21: \ +- if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ ++ if (!__libc_enable_secure \ ++ && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ + GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \ + |= bit_arch_Prefer_MAP_32BIT_EXEC; \ + break; diff --git a/patches/glibc-2.30/series b/patches/glibc-2.30/series index da5b65b..5ae6822 100644 --- a/patches/glibc-2.30/series +++ b/patches/glibc-2.30/series @@ -1,9 +1,10 @@ # generated by git-ptx-patches #tag:base --start-number 1 #tag:upstream --start-number 1 +0001-rtld-Check-__libc_enable_secure-before-honoring-LD_P.patch #tag:build-system --start-number 100 0100-add-install-lib-all-target.patch 0101-don-t-regen-docs-if-perl-is-not-found.patch #tag:hacks --start-number 200 0200-Hack-around-mips-args-to-host-gcc.patch -# 093247f87c0e3ded1431e29c27443f99 - git-ptx-patches magic +# a8c1bfa2c01be94508e22cf62d160585 - git-ptx-patches magic -- cgit v1.2.3