glibc vulnerability

Dagmar d'Surreal dagmar.wants at nospam.com
Sun Jun 1 16:35:56 PDT 2003


On Sun, 2003-06-01 at 17:14, Ken Moffat wrote:
> On Sun, 1 Jun 2003, Dagmar d'Surreal wrote:
> 
> > On Sun, 2003-06-01 at 15:22, Dagmar d'Surreal wrote:
> > > On Wed, 2003-05-28 at 07:51, Jochen Schroeder wrote:
> > > > Suse has released a patch for glibc to fix a security hole in the XDR
> > > > code, see here for details:
> > > > http://www.suse.de/de/security/2003_027_glibc.html
> > >
> > > Umm... Took them long enough.  Glibc-2.3.2 doesn't have this problem.
> >
> > ..and more to the point, here's an annotated diff that people should
> > start applying to glibc.  It was assembled directly from the components
> > listed in CERT Advisory CA-2003-10.  Since glibc-2.3.2 is not vulnerable
> > to this, if you are currently building using the current CVS tree of
> > LFS, you don't need to worry about it.  Everyone else using any version
> > of glibc previous to 2.3.2 (2.3.1, 2.2.5, etc) should apply this patch
> > to their glibc sources and rebuild to eliminate the vulnerability from
> > their system.
> >
>  Thanks for this, but the comments don't seem to be in line with your
> recommendation to label _where_ tha patch came from, or is it my eyes
> failing ?

To be perfectly accurate, the patch comes from the glibc team, since
it's merely a summary and collation of diffs pulled from the CVS as
mentioned in CA-2003-10 (http://www.cert.org/advisories/CA-2003-10.html)
which is why I didn't bother to explicitly tag it with an author credit.

To be really pedantic about it, the patch could also be considered to
have come from me since I collated it into a single patch, or Sun since
it was their broken library that was fixed, or possibly eEye for all I
can tell.  I was unable to ascertain exactly who fixed it, of even if a
single person could be credited.

>  Now I'll have to try to understand it, to see whether I trust it ;-)

Hrmm... I've put it into my build trees, but since I'm fully into
glibc-2.3.2 now I doubt I'll ever have to deal with building it into a
2.2.x tree (I'm going to have to put it in a spec file for a client
tho... *sigh*).  Did I happen to mention it's definitely in glibc-2.3.2,
so I think it's pretty trustworthy.
-- 
The email address above is just as phony as it looks, and for obvious reasons.
Instant messaging contact nfo: AIM: evilDagmar  Jabber: evilDagmar at jabber.org

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list