Patch testing - glibc with the posted patch in security thread

hua · 01-28-2015, 09:35 AM

Hello,

For those who want to test the glibc patch posted by mancha in the Slackware security thread.

http://www.linuxquestions.org/questi...00/page22.html

1. Download your version of glibc source. For example:

Code:

wget -r --no-parent http://slackware.osuosl.org/slackware64-14.1/source/l/glibc/

2. Download the patch posted by mancha in the glibc directory (downloaded in the first step):
glibc-patch

3. Edit the glibc.SlackBuild script and run it to build your new glibc package. Add the following line at the end of the patching section in the script:

Code:

patch -p1 --verbose < $TEMP-DIR/glibc-2.17_CVE-2015-0235.diff || exit 1

Note the $TEMP-DIR is the directory of the glibc source which you downloaded in the first step.
The patch line can be added after these lines in glibc.SlackBuild script:

Code:

  # posix_memalign/memalign/aligned_alloc (CVE-2013-4332).
  zcat $CWD/glibc.CVE-2013-4332.diff.gz | patch -p1 --verbose || exit 1

IMPORTANT - DO NOT USE THIS FOR PRODUCTION SYSTEM. I TESTED IT ONLY IN MY LAB WHERE THE PATCH WAS SUCCESSFUL!
The purpose was to test the vulnerability.

Thanks Mancha!

mancha · 01-28-2015, 11:40 AM

Hi Hua.

You're welcome for the patches.

Updating glibc should not be done by those unfamiliar with the process - it is not for novices. If you're not comfortable with this,
wait for Slackware to push official upgrades.

That said, thank you for putting together a brief "how-to". I do have an important correction, though. For Slackware 14.1, you should
use the build files from the patches directory (not the L dir) so you have Slackware's latest glibc security update from 20141024.

The following are instructions for Slackware 14.1:

Get build files and new patches

Code:

# mkdir mypackages && cd mypackages
# lftp -c "open http://slackware.osuosl.org/slackware-14.1/patches/source; mirror -c --parallel=3 -n -X *.mirrorlist glibc"
# cd glibc
# wget http://sf.net/projects/mancha/files/sec/glibc-2.17_CVE-2014-7817.diff
# wget http://sf.net/projects/mancha/files/sec/glibc-2.17_CVE-2014-9402.diff
# wget http://sf.net/projects/mancha/files/sec/glibc-2.17_CVE-2015-0235.diff

Edit Slackbuild

Using your favorite editor open glibc.SlackBuild and change the BUILD (line 27) to "9_patched". Also, add the following four
lines to the end of apply_patches() (line 207). It should look like this after adding the lines in red:

Code:

  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2014-5119.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2014-6040.diff || exit 1
  # Security hardening patch from Florian Weimer:
  patch -p1 --verbose < $CWD/glibc-2.17_hardening.diff || exit 1
  # Bugfix patch for optimization in gcc-4.8+:
  patch -p1 --verbose < $CWD/glibc-2.17_gcc48-unsafe-optim.diff || exit 1
  # New security patches
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2014-7817.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2014-9402.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2015-0235.diff || exit 1
}

# This is going to be the initial $DESTDIR:
export PKG=$TMP/package-glibc-incoming-tree

Build
Code:
```
# sh glibc.SlackBuild
```

New packages will be in /glibc-$COOKIE. A similar process can be followed for those running current.

--mancha

hua · 01-28-2015, 03:29 PM

Thanks for the correction. I can see that the official patches are already available.
Thanks guys!