Bug 985625 (CVE-2013-4788)
Summary: | CVE-2013-4788 glibc: PTR_MANGLE does not initialize to a random value for the pointer guard when compiling static executables | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED WONTFIX | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | unspecified | CC: | codonell, fweimer, jakub, jkurik, jrusnack, law, mfranc, pfrankli, schwab, spoyarek, vdanen | ||||
Target Milestone: | --- | Keywords: | Patch, Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-06-20 09:04:55 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 990391, 990481 | ||||||
Bug Blocks: | 985629 | ||||||
Attachments: |
|
Description
Vincent Danen
2013-07-17 23:40:39 UTC
The patch looks like it should work to solve the problem. Though this is a continued reminder that static binaries are a serious security problem since they can't be easily patched. This is going to need a regression test. We will need pointer guard macros for all machines so the test can examine the pointer guard value and compare against expected results. Could you please immediately file an upstream issue with glibc and associate the issue with this one? Created attachment 775204 [details]
Upstream fix with regression test.
Attaching an upstream WIP fix with regression test.
Regression test fails without patch.
e.g.
/home/carlos/tst-ptrguard1-static --command "/home/carlos/tst-ptrguard1-static --child"
differences 0 defaults 0
pointer guard canaries are not randomized enough
nor equal to the default canary value
Regression test passes after patch.
/home/carlos/build/glibc/elf/tst-ptrguard1-static --command "/home/carlos/build/glibc/elf/tst-ptrguard1-static --child"
differences 16 defaults 0
The non-static test passes before and after the patch because the non-static case always has a random pointer guard.
This test only passes on x86-64, all other targets need to implement POINTER_CHK_GUARD to pass the test (and even build at this point).
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 990391] glibc-2.18-9.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. glibc-2.17-18.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. This problem is fixed in Red Hat Enterprise Linux 7. As this issue only affects static executables, and is not a flaw by itself, rather an issue in the implementation of the protective technology, there is currently no plan to backport this fix to glibc versions in Red Hat Enterprise Linux 6 and older. Statement: Red Hat Security Response Team has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates for Red Hat Enterprise Linux 5 and 6. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/ . |