Bugzilla – Bug 830268
VUL-1: CVE-2013-4788: glibc: PTR_MANGLE does not initialize to a random value for the pointer guard when compiling static executables
Last modified: 2014-09-18 05:21:36 UTC
public via glibc lists Subject: [PATCH] BZ #15754: CVE-2013-4788: PTR_MANGLE does not initialize to a random value for the pointer guard when compiling static executables Date: Fri, 19 Jul 2013 03:42:42 -0400 From: Carlos O'Donell <carlos@redhat.com> To: GNU C Library <libc-alpha@sourceware.org>, "Joseph S. Myers" <joseph@codesourcery.com>, Ismael Ripoll <iripoll@disca.upv.es>, Hector Marco <hecmargi@upv.es>, Siddhesh Poyarekar <siddhesh@redhat.com>, Andreas Jaeger <aj@suse.com> CVE-2013-4788 glibc: PTR_MANGLE does not initialize to a random value for the pointer guard when compiling static executables. It was reported in [1],[2] that glibc and eglibc suffer from a flaw due to the PTR_MANGLE implementations. As described by the reporter: ~~~ The vulnerability is caused due to the non initialization to a random value (it is always zero) of the "pointer guard" by the glibc only when generating static compiled executables. Dynamic executables are not affected. Pointer guard is used to mangle the content of sensible pointers (longjmp, signal handlers, etc.), if the pointer guard value is zero (non-initialized) then it is not effective. ~~~ [1] http://hmarco.org/bugs/CVE-2013-4788.html [2] http://www.openwall.com/lists/oss-security/2013/07/15/5 The following patch fixes the defect by initializing the pointer guard for static applications. An additional regression test, based on tst-stackguard1.c, is added to check that the pointer guard is sufficiently random and initialized for a static application. Without the fix the test fails with: ~~~ tst-ptrguard1-static --command "tst-ptrguard1-static --child" differences 0 defaults 0 pointer guard canaries are not randomized enough nor equal to the default canary value ~~~ After the fix the test passes: ~~~ tst-ptrguard1-static --command "tst-ptrguard1-static --child" differences 16 defaults 0 ~~~ The non-static test passes before and after the patch because the non-static case always has a random pointer guard. This test only passes on x86-64, all other targets need to implement POINTER_CHK_GUARD in stackguard-macros.h to pass the test (and even build at this point). We might want to rename stackguard-macros.h, but I didn't. Given that we are frozen for 2.18 we could split this into two pieces, one with the fix, another with the test case once 2.19 reopens and machine maintainers can commit their implementations of POINTER_CHK_GUARD. Tested on x86-64 with no regressions. (... patch ... )
bugbot adjusting priority
given the need for rebuilding other apps with this, its not that urgent. put it on planned for now.
The SWAMPID for this issue is 54298. This issue was rated as low. Please submit fixed packages until 2013-09-26. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/54298
older versions than SLE11-SP2 are not affected as PTR_MANGLE is new with glibc 2.10. done
But SLE11-SP1 has 2.11.1: % ls /work/SRC/old-versions/sle11/SP1-UPDATES/all/glibc/ | grep tar.bz2 glibc-2.11.1-11c19d374bd4.tar.bz2 manpages.tar.bz2 noversion.tar.bz2
Update released for: glibc, glibc-32bit, glibc-debuginfo, glibc-debuginfo-32bit, glibc-debuginfo-64bit, glibc-debuginfo-x86, glibc-debugsource, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-locale-x86, glibc-obsolete, glibc-profile, glibc-profile-32bit, glibc-profile-x86, glibc-x86, nscd Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: glibc, glibc-32bit, glibc-debuginfo, glibc-debuginfo-32bit, glibc-debuginfo-64bit, glibc-debuginfo-x86, glibc-debugsource, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-locale-x86, glibc-obsolete, glibc-profile, glibc-profile-32bit, glibc-profile-x86, glibc-x86, nscd Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
The SWAMPID for this issue is 55384. This issue was rated as moderate. Please submit fixed packages until 2013-12-24. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Update released for: glibc, glibc-32bit, glibc-debuginfo, glibc-debugsource, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-obsolete, glibc-profile, glibc-profile-32bit, nscd Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
done
Affected packages: SLE-10-SP3: glibc.i686
SUSE-SU-2014:1122-1: An update that solves 7 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 750741,779320,801246,830268,834594,836746,839870,843735,864081,882600,883022,886416,892073 CVE References: CVE-2012-4412,CVE-2013-0242,CVE-2013-4237,CVE-2013-4332,CVE-2013-4788,CVE-2014-4043,CVE-2014-5119 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): glibc-2.11.1-0.58.1