oss-sec mailing list archives
Re: glibc $ORIGIN problem - CVE-2010-3847
From: Solar Designer <solar () openwall com>
Date: Mon, 25 Oct 2010 07:26:02 +0400
Hi, This was discussed off-list before, but just to have it more widely known/available - distros are welcome to reuse our sanitize-env patch from Owl: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/glibc/glibc-2.3.5-owl-alt-sanitize-env.diff or perhaps a revision of it forward-ported to current glibc in ALT's package. Here's a relevant commit: http://git.altlinux.org/people/ldv/packages/?p=glibc.git;a=commitdiff;h=64963eb224c9 Perhaps further changes were made to some of the patched files in Dmitry's repository above (the commit is a bit dated, whereas the current tree is based on glibc 2.11.2). Dmitry, you could want to comment on that. These changes, being a result of exhaustive review of glibc for env var uses, might also provide further inspiration for more attacks on glibc (without our patch). Alexander
Current thread:
- glibc $ORIGIN problem - CVE-2010-3847 Marcus Meissner (Oct 21)
- Re: glibc $ORIGIN problem - CVE-2010-3847 Robert Święcki (Oct 21)
- Re: glibc $ORIGIN problem - CVE-2010-3847 Florian Weimer (Oct 22)
- Re: glibc $ORIGIN problem - CVE-2010-3847 Solar Designer (Oct 24)
- Re: glibc $ORIGIN problem - CVE-2010-3847 Dmitry V. Levin (Oct 26)
- Re: glibc $ORIGIN problem - CVE-2010-3847 Solar Designer (Oct 24)