Debian Weekly News - email
From: Ben Collins <bcollins@DEBIAN.ORG> Date: Wed, 10 Jan 2001 14:22:22 -0500 To: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: Glibc Local Root Exploit Reply-To: Ben Collins <bcollins@DEBIAN.ORG> On Wed, Jan 10, 2001 at 12:06:48AM -0700, Charles Stevenson wrote: > Hi all, > This has been bouncing around on vuln-dev and the debian-devel lists. It > effects glibc >= 2.1.9x and it would seem many if not all OSes using these > versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and > the actual fix was a missing comma in the list of secure env vars that were > supposed to be cleared when a program starts up suid/sgid (including > RESOLV_HOST_CONF)." The exploit varies from system to system but in our > devel version of Yellow Dog Linux I was able to print the /etc/shadow file > as a normal user in the following manner: > > export RESOLV_HOST_CONF=/etc/shadow > ssh whatever.host.com > > Other programs have the same effect depending on the defaults for the > system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0 > (pre-release), and Debian Woody. Others have reported similar results on > Slackware and even "home brew[ed]" GNU/Linux. Just a note. The latest *released* Debian (2.2, aka potato) is not vulnerable to this problem, since it uses glibc 2.1.3. Our unreleased testing and devel (aka woody and sid) dists are vulnerable, at least today. The fixed packages are being uploaded, and should be on mirrors within 24-48 hours. Don't expect a security announcement from this on Debian, since we only do that for released distributions, which woody and sid are not. Also, to give credit where credit is due, Jakub Jelinek actually produced the patch that fixes this particular problem. I was merely stating what I knew (in the quote above). -- -----------=======-=-======-=========-----------=====------------=-=------ / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` email@example.com -- firstname.lastname@example.org -- email@example.com ' `---=========------=======-------------=-=-----=-===-======-------=--=---'
From: Bdale Garbee <firstname.lastname@example.org> Date: Wed, 17 Jan 2001 03:11:56 -0700 To: email@example.com, firstname.lastname@example.org Subject: Debian on IA-64 I am pleased to report that the IA-64 system on loan from HP to Agilent that is in my possession is now happily running Debian GNU/Linux natively. This machine arrived in my hands a few weeks ago "for evaluation" without an operating system loaded, and since what I wanted to evaluate was Debian... This would have been much harder without the help I received from Randolph Chung. He offered encouragement as I struggled to get a working combination of hardware and BIOS version, crafted the chroot environment on top of TurboLinux that we used to do the bootstrapping work, then helped build some of the packages I got frustrated with. I would also like to recognize Ben Collins and Brendan O'Dea for being on IRC at the right times to help me get past my struggles building glibc and perl packages, respectively. Their patience and enthusiasm helped! The current status is that I'm booting a 100% Debian root filesystem, and am finishing up getting the right pieces in place to "start over" building packages that are fit for upload. I have requested a binary-ia64 tree be created, and expect that to happen soon. Package uploads should begin within the next week. It seems completely possible that IA-64 could join the set of supported ports for woody, but a lot of work remains between now and then! Before jumping the hurdle from running in the chroot environment to booting a real Debian filesystem, we had over 600 .deb's built, including everything relevant depended on by the boot-floppies package. There are a few ugly hacks that need to be addressed, and a couple of repeatable internal compiler errors in the very pre-release version of the compiler we're running, but I do not expect it to take very long to get a respectable number of packages built and uploaded. I understand that there has been some progress towards obtaining an IA-64 system for general use by Debian developers. I hope there will be an announcement about that soon. In the meantime, I am *not* able to provide logins for everyone on this machine. Bdale
To receive this newsletter weekly in your mailbox, subscribe to the debian-news mailing list.
Back issues of this newsletter are available.
This issue of Debian Weekly News was edited by Joey Hess.