summaryrefslogtreecommitdiffstats
path: root/current
diff options
context:
space:
mode:
author Eric Hameleers <alien@slackware.com>2013-09-08 06:47:23 +0000
committer Eric Hameleers <alien@slackware.com>2013-09-08 06:47:23 +0000
commit1965b8be8c954088c87cc7d64394fd6c370710f9 (patch)
treee17dabab869fdf2586b81b88ad10280411abb72e /current
parent98201e1a40e90a714de3cfd8ddfcafa4c574839a (diff)
downloadmultilib-1965b8be8c954088c87cc7d64394fd6c370710f9.tar.gz
multilib-1965b8be8c954088c87cc7d64394fd6c370710f9.tar.xz
Patched to remove pt_chown (fix for CVE-2013-2207)
Diffstat (limited to 'current')
-rwxr-xr-xcurrent/glibc/glibc-multilib.SlackBuild11
1 files changed, 10 insertions, 1 deletions
diff --git a/current/glibc/glibc-multilib.SlackBuild b/current/glibc/glibc-multilib.SlackBuild
index 4a96588..fc807fb 100755
--- a/current/glibc/glibc-multilib.SlackBuild
+++ b/current/glibc/glibc-multilib.SlackBuild
@@ -30,7 +30,7 @@
VERSION=${VERSION:-2.17}
CHECKOUT=${CHECKOUT:-""}
-BUILD=${BUILD:-5alien}
+BUILD=${BUILD:-6alien}
## Included in glibc now:
## glibc-libidn version
@@ -202,6 +202,15 @@ apply_patches() {
# amounts of data to be sent to the targeted machine. May lead to a
# crash. Considered low impact.
zcat $CWD/glibc.CVE-2013-1914.diff.gz | patch -p1 --verbose || exit 1
+ # Remove pt_chown by default, as it can be used for a local privilege
+ # escalation. However, although this is worth patching in the -current
+ # version, it requires a non-default (and known to weaken security) setting
+ # for FUSE. Additionally, the patch is not portable to older versions of
+ # glibc (but thanks Mancha for porting it to 2.17!). On older versions
+ # of glibc, making /usr/libexec/pt_chown a symlink to /bin/true will
+ # provide the same fix, if needed. But the insecure setting for FUSE
+ # probably opens up many other possible exploits and should be avoided.
+ zcat $CWD/glibc.CVE-2013-2207.diff.gz | patch -p1 --verbose || exit 1
if [ $BOOTSTRP -eq 1 ] ; then
# Multilib - Disable check for forced unwind (Patch from eglibc) since we
# do not have a multilib glibc yet to link to;