kumquat-buildroot/package/glibc/0002-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch

From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 19 Jun 2017 17:09:55 +0200
Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
 programs [BZ #21624]

LD_LIBRARY_PATH can only be used to reorder system search paths, which
is not useful functionality.

This makes an exploitable unbounded alloca in _dl_init_paths unreachable
for AT_SECURE=1 programs.

[Peter: Drop ChangeLog modification]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 elf/rtld.c | 3 ++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/elf/rtld.c b/elf/rtld.c
index 2446a87680..2269dbec81 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep)
 
 	case 12:
 	  /* The library search path.  */
-	  if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "LIBRARY_PATH", 12) == 0)
 	    {
 	      library_path = &envline[13];
 	      break;
-- 
2.11.0
glibc: add upstream security patches fixing CVE-2017-1000366 (stack clash) glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt Patches are identical to upstream, except that the ChangeLog modifications have been stripped. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2017-06-27 08:42:09 +02:00			`From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001`
			`From: Florian Weimer <fweimer@redhat.com>`
			`Date: Mon, 19 Jun 2017 17:09:55 +0200`
			`Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1`
			`programs [BZ #21624]`

			`LD_LIBRARY_PATH can only be used to reorder system search paths, which`
			`is not useful functionality.`

			`This makes an exploitable unbounded alloca in _dl_init_paths unreachable`
			`for AT_SECURE=1 programs.`

			`[Peter: Drop ChangeLog modification]`
			`Signed-off-by: Peter Korsgaard <peter@korsgaard.com>`
			`---`
			`elf/rtld.c \| 3 ++-`
			`1 file changed, 8 insertions(+), 1 deletion(-)`

			`diff --git a/elf/rtld.c b/elf/rtld.c`
			`index 2446a87680..2269dbec81 100644`
			`--- a/elf/rtld.c`
			`+++ b/elf/rtld.c`
			`@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep)`

			`case 12:`
			`/* The library search path. */`
			`- if (memcmp (envline, "LIBRARY_PATH", 12) == 0)`
			`+ if (!__libc_enable_secure`
			`+ && memcmp (envline, "LIBRARY_PATH", 12) == 0)`
			`{`
			`library_path = &envline[13];`
			`break;`
			`--`
			`2.11.0`