[Nix-dev] Exploit on glibc + strategy on how to fix the bug
Lluís Batlle i Rossell
viriketo at gmail.com
Mon Oct 25 21:46:50 CEST 2010
On Mon, Oct 25, 2010 at 06:25:23PM +0000, =?ISO-8859-1?Q?Llu=EDs_Batlle_ wrote:
> Author: viric
> Date: Mon Oct 25 18:25:23 2010
> New Revision: 24475
> URL: https://svn.nixos.org/websvn/nix/?rev=24475&sc=1
>
> Log:
> Adding a fix for an important glibc vulnerability, very easy to exploit:
> http://www.securityfocus.com/bid/44347
>
> Added:
> nixpkgs/branches/stdenv-updates/pkgs/development/libraries/glibc-2.12/audit_suid.patch
> Modified:
> nixpkgs/branches/stdenv-updates/pkgs/development/libraries/glibc-2.12/common.nix
For those interested in fixing the dynamic loader in trunk (glibc 2.11.1), I
built glibc for i686-linux and x86_64-linux 2.11.1 with "prefix=whateverneeded",
and I took its ld.so from them.
You can use the same procedure to get a ld.so that you can use to overwrite your
$glibcpath/lib/ld-2.11.1.so, or the bravest and laziest not wanting the bug in
their ld.so can take what I built from:
x86_64-linux:
http://vicerveza.homeunix.net/~viric/tmp/nix/9pq9d484l2dgqapfppwib1swy84ihl34-glibc-2.11.1-ld.so.bz2
i686-linux:
http://vicerveza.homeunix.net/~viric/tmp/nix/l8x3fdy1r6zf441vnqa87lzsvxrjbdz9-glibc-2.11.1-ld.so.bz2
It comes with NO WARRANTY. The hashes in the name mean the output store paths
they are built for.
bunzip2 the file, rename to "ld-2.11.1.so", add the execution bits, and you can
try it with: ./ld-2.11.1.so `which cp`
If you see 'cp' working, you can bravely copy that ld-2.11.1 to your nix store
overwritting glibc's in its /lib.
More information about the nix-dev
mailing list