Main menu:

Sponsoring

Please consider a small donation:

 

Also appreciated: support me by clicking the ads (costs nothing) :-)

 

Or you can donate bitcoin:

 

Thanks to TekLinks in Birmingham, AL, for providing colocation and bandwidth.

Page Rank

Fame

FOSS Force Best Blog--2013 Award

Recent posts

Recent comments

About this blog

I am Eric Hameleers, and this is where I think out loud.
More about me.

Search

My Favourites

Slackware

Calendar

August 2014
M T W T F S S
« Jul    
 123
45678910
11121314151617
18192021222324
25262728293031

RSS Alien's Slackware packages

RSS Alien's unofficial KDE Slackware packages

RSS Alien's multilib packages

Meta

New multilib glibc packages fix local root hole

New glibc packages for Slackware arrived on the mirrors last night. They close a serious local root hole. From the ChangeLog:

Patched “dynamic linker expands $ORIGIN in setuid library search path”.
This security issue allows a local attacker to gain root if they can create
a hard link to a setuid root binary.  Thanks to Tavis Ormandy.
For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3847

http://seclists.org/fulldisclosure/2010/Oct/257

(* Security fix *)

I have already created new multilib versions of the updated glibc packages for Slackware64-current, get them here: http://slackware.com/~alien/multilib/current/ or mirrored here: http://taper.alienbase.nl/mirrors/people/alien/multilib/current/ and here: http://slackware.org.uk/people/alien/multilib/current/.

When I return from work, I will also create I have also created updates to my multilib glibc packages for Slackware64 13.0 and 13.1. Stay posted, I will write a note in the comments section of this article.

Eric

Comments

Pingback from New multilib glibc packages. – security fix from Alien.
Posted: October 21, 2010 at 15:33

[...] document.write('[Log in to get rid of this advertisement]'); I've just saw on Alien's Pasture: http://alien.slackbook.org/blog/new-…cal-root-hole/ Packages are ready for Slackware-current. For slackware 13.0 and 13.1 packages will be available [...]

Comment from alienbob
Posted: October 21, 2010 at 15:43

Update:
Updated multilib glibc ackages for Slackware64 13.1 are available now.

URL: http://slackware.com/~alien/multilib/13.1/
Mirror: http://taper.alienbase.nl/mirrors/people/alien/multilib/13.1/

Packages for Slackware64 13.0 are compiling at the moment.

Eric

Comment from alienbob
Posted: October 21, 2010 at 20:04

Updated multilib glibc packages for Slackware64 13.0 are available now as well. Everyone should be safe in a multilib environment again ;-)

URL: http://slackware.com/~alien/multilib/13.0/
Mirror: http://taper.alienbase.nl/mirrors/people/alien/multilib/13.0/

Eric

Comment from Nick Blizzard
Posted: October 22, 2010 at 00:12

Thanks Eric for keeping even current up to date with multilib :)

Comment from Chris Ablae
Posted: October 22, 2010 at 20:26

Are the packages in http://connie.slackware.com/~alien/multilib/13.1/slackware64-compat32/ also updated? They are all dated in May 2010.

Comment from alienbob
Posted: October 22, 2010 at 21:14

Chris,

I will not update those compat32 packages. They are created from the original 32-bit Slackware packages, and using convertpkg-compat32 you can easily create any package you need out of the published patches for Slackware 13.1.

Eric

Comment from Diogo Sampaio
Posted: October 23, 2010 at 02:12

Hi Eric,
once you seem to have a good communication with the Slack community, maybe you could report them that there is a bug on libboost 1.4.2 with gcc 4.5.1:
https://svn.boost.org/trac/boost/ticket/3844

Once I updated it to libboost 1.4.4, using the original SlackBuild script, it just worked perfectly.

Thanks for the updated packages, again.
D. Sampaio

Comment from Robby Workman
Posted: October 23, 2010 at 14:49

Those of you who use VirtualBox will find that it won’t start as a normal user – this is due to a compiled in rpath of $ORIGIN, which the patched glibc prevents. I *think* the vbox folks have update the current .run file if you’re using the binary builds, but I don’t know about the -ose version yet. If nothing else, you can take the approach that I used and fix the rpath using the chrpath utility: http://connie.slackware.com/~rworkman/chrpath/
Note that you’re limited to seven characters for the new rpath, so “/opt/VirtualBox” isn’t an option – I chose to do this:
for i in /opt/VirtualBox/*.so ; do
chrpath -r “/VBOX” $i ;
done
mkdir /VBOX
mount –bind /opt/VirtualBox /VBOX

YMMV. :)

Comment from Chris Abela
Posted: October 23, 2010 at 20:08

Eric,

Maybe I am missing something, but over here it appears that glibc* are blacklisted by convertpkg-compat32:-

# convertpkg-compat32 -i glibc-2.11.1-i486-4_slack13.1.txz -d compat32/
Package glibc is blacklisted by ‘glibc.*’, aborting.

Probing in convertpkg-compat32:-

# Blacklist of packages not to use this script on (these *have* to be compiled
# on a 64bit box):
BLACKLIST=”
glibc.*
kernel.*
gcc.*

Chris

Comment from Chris Abela
Posted: October 23, 2010 at 20:36

Please disregard my previous post.
I figured it out.

Comment from Nick Blizzard
Posted: October 24, 2010 at 03:21

I just verified there is a new .run for VirtualBox (66896) that fixes the issues. Thanks for the heads up :)

Comment from Willy Sudiarto Raharjo
Posted: October 25, 2010 at 17:23

Multilib repository is now mirrored on Asian’s Server:
http://repo.ukdw.ac.id/alien-multilib/
rsync://repo.ukdw.ac.id/alien-multilib

Comment from boris
Posted: October 29, 2010 at 21:32

i’ve got the same problem chris was having earlier, cannot convert glibc and others due to blacklist

Comment from alienbob
Posted: October 29, 2010 at 23:14

@boris:
And why do you think the glibc and gcc packages are on that blacklist? (Hint: what packages did you also upgrade that are not called “compat32″?)

Eric

Comment from alienbob
Posted: October 29, 2010 at 23:39

Warning: there is yet another update to glibc. Slackware packages became available yesterday, my multilib versions are available as of now (see my more recent blog post).

Eric

Write a comment