Debian Weekly News - email

From: Ben Collins <bcollins@DEBIAN.ORG>
Date:         Wed, 10 Jan 2001 14:22:22 -0500
To: BUGTRAQ@SECURITYFOCUS.COM
Subject:      Re: Glibc Local Root Exploit
Reply-To: Ben Collins <bcollins@DEBIAN.ORG>

On Wed, Jan 10, 2001 at 12:06:48AM -0700, Charles Stevenson wrote:
> Hi all,
>   This has been bouncing around on vuln-dev and the debian-devel lists. It
> effects glibc >= 2.1.9x and it would seem many if not all OSes using these
> versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
> the actual fix was a missing comma in the list of secure env vars that were
> supposed to be cleared when a program starts up suid/sgid (including
> RESOLV_HOST_CONF)." The exploit varies from system to system but in our
> devel version of Yellow Dog Linux I was able to print the /etc/shadow file
> as a normal user in the following manner:
>
> export RESOLV_HOST_CONF=/etc/shadow
> ssh whatever.host.com
>
>   Other programs have the same effect depending on the defaults for the
> system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
> (pre-release), and Debian Woody. Others have reported similar results on
> Slackware and even "home brew[ed]" GNU/Linux.

Just a note. The latest *released* Debian (2.2, aka potato) is not
vulnerable to this problem, since it uses glibc 2.1.3. Our unreleased
testing and devel (aka woody and sid) dists are vulnerable, at least
today. The fixed packages are being uploaded, and should be on mirrors
within 24-48 hours.

Don't expect a security announcement from this on Debian, since we only
do that for released distributions, which woody and sid are not.

Also, to give credit where credit is due, Jakub Jelinek actually
produced the patch that fixes this particular problem. I was merely
stating what I knew (in the quote above).

--
 -----------=======-=-======-=========-----------=====------------=-=------
/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'

From: Bdale Garbee <bdale@gag.com>
Date: Wed, 17 Jan 2001 03:11:56 -0700
To: debian-devel@lists.debian.org, debian-ia64@lists.debian.org
Subject: Debian on IA-64

I am pleased to report that the IA-64 system on loan from HP to Agilent that
is in my possession is now happily running Debian GNU/Linux natively.  This
machine arrived in my hands a few weeks ago "for evaluation" without an
operating system loaded, and since what I wanted to evaluate was Debian...

This would have been much harder without the help I received from Randolph
Chung.  He offered encouragement as I struggled to get a working combination
of hardware and BIOS version, crafted the chroot environment on top of
TurboLinux that we used to do the bootstrapping work, then helped build some
of the packages I got frustrated with.

I would also like to recognize Ben Collins and Brendan O'Dea for being on
IRC at the right times to help me get past my struggles building glibc and
perl packages, respectively.  Their patience and enthusiasm helped!

The current status is that I'm booting a 100% Debian root filesystem, and am
finishing up getting the right pieces in place to "start over" building
packages that are fit for upload.  I have requested a binary-ia64 tree be
created, and expect that to happen soon.  Package uploads should begin within
the next week.  It seems completely possible that IA-64 could join the set of
supported ports for woody, but a lot of work remains between now and then!

Before jumping the hurdle from running in the chroot environment to booting a
real Debian filesystem, we had over 600 .deb's built, including everything
relevant depended on by the boot-floppies package.  There are a few ugly hacks
that need to be addressed, and a couple of repeatable internal compiler errors
in the very pre-release version of the compiler we're running, but I do not
expect it to take very long to get a respectable number of packages built and
uploaded.

I understand that there has been some progress towards obtaining an IA-64
system for general use by Debian developers.  I hope there will be an
announcement about that soon.  In the meantime, I am *not* able to provide
logins for everyone on this machine.

Bdale

To receive this newsletter weekly in your mailbox, subscribe to the debian-news mailing list.

Back issues of this newsletter are available.

This issue of Debian Weekly News was edited by Joey Hess.