-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
Here's an interesting security update from Slackware that gives some
information on a recent vulnerability exposed in Glibc:
glibc-2.11.1-i486-4_slack13.1.txz: Rebuilt.
Patched "dynamic linker expands $ORIGIN in setuid library
search path".
This security issue allows a local attacker to gain root if
they can create
a hard link to a setuid root binary. Thanks to Tavis Ormandy.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3847
http://seclists.org/fulldisclosure/2010/Oct/257
(* Security fix *)
The seclist.org link is particularly interesting since it explains the
vulnerability in detail.
What's the implication for LFS? I've just finished chapter 5 (temp
tools) of LFS 6.7 and I'm about ready to start chapter 6. LFS uses
Glibc 2.12, not 2.11, but I would think the vulnerability is still
there. When I go to http://ftp.gnu.org/gnu/glibc/ the most recent
version is the same one we're using for LFS 6.7 from August 2010.
So:
1) Is it worth downloading and using the development version of Glibc
from git://sourceware.org/git/glibc.git to build LFS with the updated
source?
2) Can I build the updated git-checkout version of Glibc with the
standard version I built in the /tools directory? I don't/ /think
there should be a problem, but I'm not sure.
3) How do you folks handle security issues like this?
Regards,
- -Drew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkzEUvMACgkQ7ZZ4z2wRxN1iZgCbBkCfoGPY+BigdB0mZDXPXTFC
sP8An3vysUewdmwoHWtCgSljOQ1PP7Dr
=Ypun
-----END PGP SIGNATURE-----
--
http://linuxfromscratch.org/mailman/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
