Issue metadata
Sign in to add a comment
|
Security: local privilege escalation via glibc realpath() buffer underflow (CVE-2018-1000001) |
||||||||||||||||||||||
Issue descriptionSee https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/ No official patches currently available AFAICT, but there's a patch proposed at the description linked above. Amounts to a potential privilege escalation from unprivileged user to root via suid binaries. Might be reachable via ARC++ / Android NDK from untrusted code, hence setting severity high. OK to go back to medium if ARC++ is confirmed to not be a viable vector. Assigning to llozano to route to the correct toolchain engineer. Setting NextAction for Monday to re-check availability of official patches.
,
Jan 12 2018
,
Jan 12 2018
Assigning to Yunlian to apply patches. Note that branch point is on the 18th. Why is this labeled with M-63? Are we still updating 63? What about 64? (I hope we don't need to apply this to any previous branches).
,
Jan 15 2018
The NextAction date has arrived: 2018-01-15
,
Jan 16 2018
If we can get this into the upcoming stable (i.e. M64), that'd be entirely sufficient. FWIW, upstream fix is here: https://sourceware.org/git/?p=glibc.git;a=commit;h=52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94 Btw. any plans to uprev glibc to 2.26?
,
Jan 16 2018
I will prepare a patch today and start to test it. Currently we do not have plans to uprev to glibc 2.26.
,
Jan 17 2018
,
Jan 17 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/2ddeec9c542d49850f550d01e566cc28ac747fd7 commit 2ddeec9c542d49850f550d01e566cc28ac747fd7 Author: Yunlian Jiang <yunlian@chromium.org> Date: Wed Jan 17 19:04:18 2018 glibc: fix glibc bug [BZ #22679] This backports upstream patch commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94 Author: Dmitry V. Levin <ldv@altlinux.org> Date: Sun Jan 7 02:03:41 2018 +0000 linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679] [BZ #22679] CVE-2018-1000001 * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to generic_getcwd if the path returned by getcwd syscall is not absolute. * io/tst-getcwd-abspath.c: New test. * io/Makefile (tests): Add tst-getcwd-abspath. BUG= chromium:801514 TEST=cbuildbot chromiumos-sdk falco-release daisy-release kevin-release Change-Id: I70ab64c40ed5115f5ee9357e637d75fdefddfece Reviewed-on: https://chromium-review.googlesource.com/868392 Reviewed-by: Mike Frysinger <vapier@chromium.org> Trybot-Ready: Yunlian Jiang <yunlian@chromium.org> Commit-Queue: Yunlian Jiang <yunlian@chromium.org> Tested-by: Yunlian Jiang <yunlian@chromium.org> [add] https://crrev.com/2ddeec9c542d49850f550d01e566cc28ac747fd7/sys-libs/glibc/files/local/glibc-2.23-getcwd.patch [rename] https://crrev.com/2ddeec9c542d49850f550d01e566cc28ac747fd7/sys-libs/glibc/glibc-2.23-r14.ebuild
,
Jan 17 2018
,
Jan 17 2018
,
Jan 17 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/41a4c5c50b5654852356170eead49810e65fa732 commit 41a4c5c50b5654852356170eead49810e65fa732 Author: Yunlian Jiang <yunlian@chromium.org> Date: Wed Jan 17 23:46:48 2018 glibc: fix glibc bug [BZ #22679] This backports upstream patch commit 52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94 Author: Dmitry V. Levin <ldv@altlinux.org> Date: Sun Jan 7 02:03:41 2018 +0000 linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679] [BZ #22679] CVE-2018-1000001 * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to generic_getcwd if the path returned by getcwd syscall is not absolute. * io/tst-getcwd-abspath.c: New test. * io/Makefile (tests): Add tst-getcwd-abspath. BUG= chromium:801514 TEST=cbuildbot chromiumos-sdk falco-release daisy-release kevin-release Change-Id: I6c43cab402c2f7d9df1ba376f55e3af982a7da3d Reviewed-on: https://chromium-review.googlesource.com/871984 Reviewed-by: Luis Lozano <llozano@chromium.org> Commit-Queue: Yunlian Jiang <yunlian@chromium.org> Tested-by: Yunlian Jiang <yunlian@chromium.org> Trybot-Ready: Yunlian Jiang <yunlian@chromium.org> [add] https://crrev.com/41a4c5c50b5654852356170eead49810e65fa732/sys-libs/glibc/files/local/glibc-2.23-getcwd.patch [rename] https://crrev.com/41a4c5c50b5654852356170eead49810e65fa732/sys-libs/glibc/glibc-2.23-r12.ebuild
,
Jan 17 2018
The change in #11 does not actually backport the fix to R64. We need to re-generate sdk for R64 to make it really work.
,
Jan 18 2018
i don't see how this has any relationship to ARC++. that runs entirely in its own container using its own userland and C library (bionic). if you're talking about arbitrary APKs that have linked arbitrary C libraries, updating the C library in CrOS wouldn't have any impact on that as none of that code is visible.
,
Jan 22 2018
Ad Mike said, the ARC++ is runing in its own container and C library for ChromeOS does not have anything to do with it. Removing R64 label.
,
Jan 22 2018
Jorge, We have this change in R65, do we need to backport this to R64?
,
Jan 22 2018
Mattias, does the comment in #13 resolve your concerns?
,
Jan 22 2018
Mattias is out this week. I think based on the fact that the container does not use glibc, and cannot see glibc to link against it, this can stay 65-only.
,
Jan 22 2018
Thanks, I will close this one.
,
Jan 29 2018
Ah, sorry about the APK confusion on my side, the container doesn't use the Chrome OS glibc copy of course. All good then, updating severity to medium. Would be interesting to dig into bionic to see whether it can go off rails when getcwd() returns a relative path, but that's a different issue.
,
Feb 8 2018
,
May 1 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jan 12 2018