[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: [Full-Disclosure] [ GLSA 200408-16 ] glibc: Information leak with LD_DEBUG

Katarina Lukaszewicz <catarina@xxxxxxxxx> wrote:
> When trying to do a match for glibc in /var/radmind/transcript on sixthday
> it is rather hard to tell what version we have going.  I know the version
> built on equilibrium is glibc-2.2.5 with -2.patch also there.
> However when I did a grep on the command files I did find
> multiuser-test.K:p lfs-glibc232.T
> rdevine-sites-desktop-base.K:p lfs-glibc232.T
> So they may have unaffected r11 or affected r10...

Hm.  Here's what's in the RCS log for "lfs-base":
	radmind@sixthday: rlog transcript/lfs-base.T
	revision 1.33
	date: 2004/02/12 08:06:08;  author: sweda;  state: Exp;  lines: +3221 -3102
	mdw added glibc 2.3.2
	mdw created lfs-base-1.2.0.T
What should sweda & I have said to document this more clearly?

And, I just know you're going to hate me for saying this, but I sent
mail out almost exactly 6 months ago discussing this:
 54537  040205 To:umce.linux      Re: glibc bug<<Wesley D Craig <wes@xxxxxxxxx> writes: >
 56424  040210 To:umce.linux      UMCE linux; lfs-base-1.2.0.T; now features glibc 2.3.2<
 57139  040212 Katarina Lukaszew  updates to glibc and lfs-negative and lfs-base<<are now
I believe there was also discussion about this in one or more umce
meetings.  I suppose the evidence isn't quite completely obvious, but
in fact lfs-glibc232.T was the "beta test" transcript for the glibc
that I built and that we then merged into lfs-base.T making
lfs-base-1.2.0.  The original mail I sent mentioned that I had
left build notes in CVS, and those notes document every patch I
applied.  The notes don't explicitly state it, but every tarball
and patch file I named there is also in
I'm a packrat, what can I say?

I don't know how the "-r10" numbers match up with what I built.  Some
of these numbers look like they might be post-release patch numbers,
possibly assigned by either the glibc folks, or by gentoo, and some of
them look like they might be related to dates in the glibc developers'
cvs repository.  Regardless, I think it's likely that what I built
predates any of these, and that we're most likely vulnerable.
The actual exposure sounds not too bad, and is probably a concern
most immediately to the login and web folks.

It would probably be a reasonable project for somebody to go build
a newer glibc -- either 2.3.2 with more patches, or if the glibc
folks are pushing something newer, perhaps that.  There's one mistake
I made when I last built glibc -- I left "--disable-nls" set but
this was an oversight on my part; as per discussion in the umce linux
meetings we had agreed this should be enabled.