r35879 - in /desktop/unstable/glib2.0/debian: changelog patches/11_CVE-2012-3524_setuid.patch patches/series
joss at users.alioth.debian.org
joss at users.alioth.debian.org
Fri Oct 5 07:43:08 UTC 2012
Author: joss
Date: Fri Oct 5 07:43:07 2012
New Revision: 35879
URL: http://svn.debian.org/wsvn/pkg-gnome/?sc=1&rev=35879
Log:
SECURITY: add 11_CVE-2012-3524_setuid.patch from upstream. Prevents
from using DBus in a setuid binary. Fixes CVE-2012-3524.
Added:
desktop/unstable/glib2.0/debian/patches/11_CVE-2012-3524_setuid.patch
Modified:
desktop/unstable/glib2.0/debian/changelog
desktop/unstable/glib2.0/debian/patches/series
Modified: desktop/unstable/glib2.0/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/glib2.0/debian/changelog?rev=35879&op=diff
==============================================================================
--- desktop/unstable/glib2.0/debian/changelog [utf-8] (original)
+++ desktop/unstable/glib2.0/debian/changelog [utf-8] Fri Oct 5 07:43:07 2012
@@ -1,10 +1,12 @@
-glib2.0 (2.33.12+really2.32.4-2) UNRELEASED; urgency=low
+glib2.0 (2.33.12+really2.32.4-2) UNRELEASED; urgency=medium
* Revert link adding for gdbus-object-manager-example. While it is
useful to have in /usr/share/doc as an example, it must not be
shipped with the system documentation.
* 20_glib-compile-resources_leak.patch: new patch. Fix a leak
introduced in version 2.32.4. Thanks Niels Thykier!
+ * SECURITY: add 11_CVE-2012-3524_setuid.patch from upstream. Prevents
+ from using DBus in a setuid binary. Fixes CVE-2012-3524.
-- Josselin Mouette <joss at debian.org> Sun, 23 Sep 2012 13:26:33 +0200
Added: desktop/unstable/glib2.0/debian/patches/11_CVE-2012-3524_setuid.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/glib2.0/debian/patches/11_CVE-2012-3524_setuid.patch?rev=35879&op=file
==============================================================================
--- desktop/unstable/glib2.0/debian/patches/11_CVE-2012-3524_setuid.patch (added)
+++ desktop/unstable/glib2.0/debian/patches/11_CVE-2012-3524_setuid.patch [utf-8] Fri Oct 5 07:43:07 2012
@@ -1,0 +1,247 @@
+From 4c2928a54482913cf236bff0e66650a8f47e17ea Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters at verbum.org>
+Date: Wed, 22 Aug 2012 18:26:11 +0000
+Subject: CVE-2012-3524: Hardening for being run in a setuid environment
+
+Some programs attempt to use libglib (or even libgio) when setuid.
+For a long time, GTK+ simply aborted if launched in this
+configuration, but we never had a real policy for GLib.
+
+I'm not sure whether we should advertise such support. However, given
+that there are real-world programs that do this currently, we can make
+them safer with not too much effort.
+
+Better to fix a problem caused by an interaction between two
+components in *both* places if possible.
+
+This patch adds a private function g_check_setuid() which is used to
+first ensure we don't run an external dbus-launch binary if
+DBUS_SESSION_BUS_ADDRESS isn't set.
+
+Second, we also ensure the local VFS is used in this case. The
+gdaemonvfs extension point will end up talking to the session bus
+which is typically undesirable in a setuid context.
+
+Implementing g_check_setuid() is interesting - whether or not we're
+running in a privilege-escalated path is operating system specific.
+Note that GTK+'s code to check euid versus uid worked historically on
+Unix, more modern systems have filesystem capabilities and SELinux
+domain transitions, neither of which are captured by the uid
+comparison.
+
+On Linux/glibc, the way this works is that the kernel sets an
+AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on
+startup. If found, then glibc sets a public-but-undocumented
+__libc_enable_secure variable which we can use. Unfortunately, while
+it *previously* worked to check this variable, a combination of newer
+binutils and RPM break it:
+http://www.openwall.com/lists/owl-dev/2012/08/14/1
+
+So for now on Linux/glibc, we fall back to the historical Unix version
+until we get glibc fixed.
+
+On some BSD variants, there is a issetugid() function. On other Unix
+variants, we fall back to what GTK+ has been doing.
+
+Reported-By: Sebastian Krahmer <krahmer at suse.de>
+Signed-off-by: Colin Walters <walters at verbum.org>
+---
+diff --git a/configure.ac b/configure.ac
+index 584df1d..67ea1a9 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -583,9 +583,20 @@ AC_TRY_COMPILE([#include <dirent.h>], [DIR *dir;],
+ # Checks for library functions.
+ AC_FUNC_VPRINTF
+ AC_FUNC_ALLOCA
+-AC_CHECK_FUNCS(mmap posix_memalign memalign valloc fsync pipe2)
++AC_CHECK_FUNCS(mmap posix_memalign memalign valloc fsync pipe2 issetugid)
+ AC_CHECK_FUNCS(atexit on_exit timegm gmtime_r)
+
++AC_CACHE_CHECK([for __libc_enable_secure], glib_cv_have_libc_enable_secure,
++ [AC_TRY_LINK([#include <unistd.h>
++ extern int __libc_enable_secure;],
++ [return __libc_enable_secure;],
++ glib_cv_have_libc_enable_secure=yes,
++ glib_cv_have_libc_enable_secure=no)])
++AS_IF([test x$glib_cv_have_libc_enable_secure = xyes], [
++ AC_DEFINE(HAVE_LIBC_ENABLE_SECURE, 1,
++ [Define if you have the __libc_enable_secure variable (GNU libc, eglibc)])
++])
++
+ AC_CHECK_SIZEOF(char)
+ AC_CHECK_SIZEOF(short)
+ AC_CHECK_SIZEOF(long)
+@@ -984,7 +995,7 @@ AC_MSG_RESULT(unsigned $glib_size_type)
+
+ # Check for some functions
+ AC_CHECK_FUNCS(lstat strerror strsignal memmove vsnprintf stpcpy strcasecmp strncasecmp poll getcwd vasprintf setenv unsetenv getc_unlocked readlink symlink fdwalk memmem)
+-AC_CHECK_FUNCS(chown lchmod lchown fchmod fchown link utimes getgrgid getpwuid)
++AC_CHECK_FUNCS(chown lchmod lchown fchmod fchown link utimes getgrgid getpwuid getresuid)
+ AC_CHECK_FUNCS(getmntent_r setmntent endmntent hasmntopt getfsstat getvfsstat)
+ # Check for high-resolution sleep functions
+ AC_CHECK_FUNCS(splice)
+diff --git a/gio/gdbusaddress.c b/gio/gdbusaddress.c
+index 4aa13b9..96b6343 100644
+--- a/gio/gdbusaddress.c
++++ b/gio/gdbusaddress.c
+@@ -37,6 +37,7 @@
+ #include "giostream.h"
+ #include "gasyncresult.h"
+ #include "gsimpleasyncresult.h"
++#include "glib-private.h"
+ #include "gdbusprivate.h"
+ #include "giomodule-priv.h"
+ #include "gdbusdaemon.h"
+@@ -1023,6 +1024,14 @@ get_session_address_dbus_launch (GError **error)
+ restore_dbus_verbose = FALSE;
+ old_dbus_verbose = NULL;
+
++ /* Don't run binaries as root if we're setuid. */
++ if (GLIB_PRIVATE_CALL (g_check_setuid) ())
++ {
++ g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
++ _("Cannot spawn a message bus when setuid"));
++ goto out;
++ }
++
+ machine_id = _g_dbus_get_machine_id (error);
+ if (machine_id == NULL)
+ {
+diff --git a/gio/gvfs.c b/gio/gvfs.c
+index dda8afb..9afbcec 100644
+--- a/gio/gvfs.c
++++ b/gio/gvfs.c
+@@ -23,6 +23,7 @@
+ #include "config.h"
+ #include <string.h>
+ #include "gvfs.h"
++#include "glib-private.h"
+ #include "glocalvfs.h"
+ #include "gresourcefile.h"
+ #include "giomodule-priv.h"
+@@ -191,6 +192,8 @@ g_vfs_parse_name (GVfs *vfs,
+ GVfs *
+ g_vfs_get_default (void)
+ {
++ if (GLIB_PRIVATE_CALL (g_check_setuid) ())
++ return g_vfs_get_local ();
+ return _g_io_module_get_default (G_VFS_EXTENSION_POINT_NAME,
+ "GIO_USE_VFS",
+ (GIOModuleVerifyFunc)g_vfs_is_active);
+diff --git a/glib/genviron.c b/glib/genviron.c
+index 59a8bbe..9525cf0 100644
+--- a/glib/genviron.c
++++ b/glib/genviron.c
+@@ -40,6 +40,7 @@
+ #include <windows.h>
+ #endif
+
++#include "glib-private.h"
+ #include "gmem.h"
+ #include "gmessages.h"
+ #include "gstrfuncs.h"
+diff --git a/glib/glib-private.c b/glib/glib-private.c
+index 3946e77..3506782 100644
+--- a/glib/glib-private.c
++++ b/glib/glib-private.c
+@@ -38,7 +38,9 @@ glib__private__ (void)
+ g_wakeup_signal,
+ g_wakeup_acknowledge,
+
+- g_get_worker_context
++ g_get_worker_context,
++
++ g_check_setuid
+ };
+
+ return &table;
+diff --git a/glib/glib-private.h b/glib/glib-private.h
+index fde0be8..87da6f3 100644
+--- a/glib/glib-private.h
++++ b/glib/glib-private.h
+@@ -25,6 +25,8 @@
+
+ G_GNUC_INTERNAL
+ GMainContext * g_get_worker_context (void);
++G_GNUC_INTERNAL
++gboolean g_check_setuid (void);
+
+ #define GLIB_PRIVATE_CALL(symbol) (glib__private__()->symbol)
+
+@@ -40,6 +42,8 @@ typedef struct {
+ /* See gmain.c */
+ GMainContext * (* g_get_worker_context) (void);
+ /* Add other private functions here, initialize them in glib-private.c */
++
++ gboolean (* g_check_setuid) (void);
+ } GLibPrivateVTable;
+
+ GLibPrivateVTable *glib__private__ (void);
+diff --git a/glib/gutils.c b/glib/gutils.c
+index 38b5e44..f8a38d1 100644
+--- a/glib/gutils.c
++++ b/glib/gutils.c
+@@ -2409,3 +2409,60 @@ g_get_tmp_dir (void)
+ }
+
+ #endif
++
++/* Private API:
++ *
++ * Returns %TRUE if the current process was executed as setuid (or an
++ * equivalent __libc_enable_secure is available). See:
++ * http://osdir.com/ml/linux.lfs.hardened/2007-04/msg00032.html
++ */
++gboolean
++g_check_setuid (void)
++{
++ /* TODO: get __libc_enable_secure exported from glibc.
++ * See http://www.openwall.com/lists/owl-dev/2012/08/14/1
++ */
++#if 0 && defined(HAVE_LIBC_ENABLE_SECURE)
++ {
++ /* See glibc/include/unistd.h */
++ extern int __libc_enable_secure;
++ return __libc_enable_secure;
++ }
++#elif defined(HAVE_ISSETUGID)
++ /* BSD: http://www.freebsd.org/cgi/man.cgi?query=issetugid&sektion=2 */
++ return issetugid ();
++#elif defined(G_OS_UNIX)
++ uid_t ruid, euid, suid; /* Real, effective and saved user ID's */
++ gid_t rgid, egid, sgid; /* Real, effective and saved group ID's */
++
++ static gsize check_setuid_initialised;
++ static gboolean is_setuid;
++
++ if (g_once_init_enter (&check_setuid_initialised))
++ {
++#ifdef HAVE_GETRESUID
++ /* These aren't in the header files, so we prototype them here.
++ */
++ int getresuid(uid_t *ruid, uid_t *euid, uid_t *suid);
++ int getresgid(gid_t *rgid, gid_t *egid, gid_t *sgid);
++
++ if (getresuid (&ruid, &euid, &suid) != 0 ||
++ getresgid (&rgid, &egid, &sgid) != 0)
++#endif /* HAVE_GETRESUID */
++ {
++ suid = ruid = getuid ();
++ sgid = rgid = getgid ();
++ euid = geteuid ();
++ egid = getegid ();
++ }
++
++ is_setuid = (ruid != euid || ruid != suid ||
++ rgid != egid || rgid != sgid);
++
++ g_once_init_leave (&check_setuid_initialised, 1);
++ }
++ return is_setuid;
++#else
++ return FALSE;
++#endif
++}
+--
+cgit v0.9.0.2
Modified: desktop/unstable/glib2.0/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/glib2.0/debian/patches/series?rev=35879&op=diff
==============================================================================
--- desktop/unstable/glib2.0/debian/patches/series [utf-8] (original)
+++ desktop/unstable/glib2.0/debian/patches/series [utf-8] Fri Oct 5 07:43:07 2012
@@ -4,6 +4,7 @@
04_homedir_env.patch
05_run-gio-tests-with-a-dbus-session.patch
10_gdbus_race.patch
+11_CVE-2012-3524_setuid.patch
20_glib-compile-resources_leak.patch
61_glib-compile-binaries-path.patch
90_gio-modules-multiarch-compat.patch
More information about the pkg-gnome-commits
mailing list