Another glibc multilib update

Barely a week has passed, and we have yet another local root hole in glibc that needed patching. The Slackware ChangeLog said it like this:

a/glibc-solibs-2.12.1-x86_64-3.txz: Rebuilt.
Patched “The GNU C library dynamic linker will dlopen arbitrary DSOs
during setuid loads.” This security issue allows a local attacker to
gain root by specifying an unsafe DSO in the library search path to be
used with a setuid binary in LD_AUDIT mode.
Bug found by Tavis Ormandy (with thanks to Ben Hawkes and Julien Tinnes).
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3856
http://seclists.org/fulldisclosure/2010/Oct/344
(* Security fix *)

Of course, I was out of town for a few days when this happened, so it took a little longer to build updated multilib versions for glibc.

But… they are available now for your 64-bit Slackware 13.0, 13.1 and -current. Grab them here: http://slackware.com/~alien/multilib/. If you need guidance, read the README or better even, check out the Wiki page on Slackware multilib.

I hope this is the last hole for a while, it sucks having to rebuild all of this.

Mirrors: http://taper.alienbase.nl/mirrors/people/alien/multilib/ and http://slackware.org.uk/people/alien/multilib/.

Eric

7 thoughts on “Another glibc multilib update




  1. Eric,

    Since the libwebkit-1.0.so.2.17.7 update I can no longer get the handbrake package to run. When you have a spare minute can you rebuild handbrake toy work with the new version of webkit?



  2. Eric,,

    This is what I’m getting:

    shotsy ~/Desktop $ ghb
    ghb: error while loading shared libraries: libwebkit-1.0.so.2: cannot open shared object file: No such file or directory

    when I run locate libwebkit I get this output:

    /usr/lib/libwebkit-1.0.so.2.17.7
    /usr/lib/libwebkit-1.0.la
    /usr/lib/libwebkit-1.0.so.2
    /usr/lib/libwebkit-1.0.so

    and the ls -la

    shotsy /usr/lib $ ls -la libwebkit*
    -rwxr-xr-x 1 root root 2912 2010-10-15 18:05 libwebkit-1.0.la*
    lrwxrwxrwx 1 root root 23 2010-10-16 07:41 libwebkit-1.0.so -> libwebkit-1.0.so.2.17.7*
    lrwxrwxrwx 1 root root 23 2010-10-16 07:41 libwebkit-1.0.so.2 -> libwebkit-1.0.so.2.17.7*
    -rwxr-xr-x 1 root root 14892688 2010-10-15 18:05 libwebkit-1.0.so.2.17.7*

    Thanks for your help!

    Ken


  3. Eric,

    I figured it out, looks like I picked up some packages from somewhere else. I had to re download and apply

    webkitgtk, icu4c, and lib soup from http://connie.slackware.com/~alien/slackbuilds/

    now locate libwebkit returns:

    shotsy /usr/lib $ locate libwebkit
    /usr/lib64/libwebkit-1.0.la
    /usr/lib64/libwebkit-1.0.so.2.17.7
    /usr/lib64/libwebkit-1.0.so.2
    /usr/lib64/libwebkit-1.0.so

    Where I got the offending packages is beyond me, these are the repositories I have configure for slaptget:

    SOURCE=http://slackware.mirrors.tds.net/pub/slackware/slackware64-current/
    SOURCE=http://slackware.org.uk/people/alien/restricted_slackbuilds/
    SOURCE=http://connie.slackware.com/~alien/slackbuilds/

    # Sources for the testing, extra, and pasture areas – if you use them.
    # SOURCE=ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/extra/:PREFERRED
    # SOURCE=ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/testing/
    # SOURCE=ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/pasture/
    SOURCE=http://slackware.mirrors.tds.net/pub/slackware/slackware64-current/extra
    SOURCE=http://taper.alienbase.nl/mirrors/slackware/slackware64-current/testing

    and all is running again, Thanks

    Ken


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.