[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fwd: [Full-Disclosure] [ GLSA 200408-16 ] glibc: Information leak with LD_DEBUG
Katarina Lukaszewicz <catarina@xxxxxxxxx> wrote:
> When trying to do a match for glibc in /var/radmind/transcript on sixthday
> it is rather hard to tell what version we have going. I know the version
> built on equilibrium is glibc-2.2.5 with -2.patch also there.
> However when I did a grep on the command files I did find
> multiuser-test.K:p lfs-glibc232.T
> rdevine-sites-desktop-base.K:p lfs-glibc232.T
> So they may have unaffected r11 or affected r10...
Hm. Here's what's in the RCS log for "lfs-base":
radmind@sixthday: rlog transcript/lfs-base.T
date: 2004/02/12 08:06:08; author: sweda; state: Exp; lines: +3221 -3102
mdw added glibc 2.3.2
mdw created lfs-base-1.2.0.T
What should sweda & I have said to document this more clearly?
And, I just know you're going to hate me for saying this, but I sent
mail out almost exactly 6 months ago discussing this:
54537 040205 To:umce.linux Re: glibc bug<<Wesley D Craig <wes@xxxxxxxxx> writes: >
56424 040210 To:umce.linux UMCE linux; lfs-base-1.2.0.T; now features glibc 2.3.2<
57139 040212 Katarina Lukaszew updates to glibc and lfs-negative and lfs-base<<are now
I believe there was also discussion about this in one or more umce
meetings. I suppose the evidence isn't quite completely obvious, but
in fact lfs-glibc232.T was the "beta test" transcript for the glibc
that I built and that we then merged into lfs-base.T making
lfs-base-1.2.0. The original mail I sent mentioned that I had
left build notes in CVS, and those notes document every patch I
applied. The notes don't explicitly state it, but every tarball
and patch file I named there is also in
I'm a packrat, what can I say?
I don't know how the "-r10" numbers match up with what I built. Some
of these numbers look like they might be post-release patch numbers,
possibly assigned by either the glibc folks, or by gentoo, and some of
them look like they might be related to dates in the glibc developers'
cvs repository. Regardless, I think it's likely that what I built
predates any of these, and that we're most likely vulnerable.
The actual exposure sounds not too bad, and is probably a concern
most immediately to the login and web folks.
It would probably be a reasonable project for somebody to go build
a newer glibc -- either 2.3.2 with more patches, or if the glibc
folks are pushing something newer, perhaps that. There's one mistake
I made when I last built glibc -- I left "--disable-nls" set but
this was an oversight on my part; as per discussion in the umce linux
meetings we had agreed this should be enabled.