| 2008-09-28 16:19:19 |
Kees Cook |
bug |
|
|
added bug |
| 2008-09-28 16:19:19 |
Kees Cook |
bug |
|
|
added attachment 'stack-guard-quick-randomization.diff' (low-cost stack guard randomization) |
| 2008-09-28 16:19:34 |
Kees Cook |
who_made_private |
kees |
|
|
| 2008-09-28 16:19:49 |
Kees Cook |
bug |
|
|
added subscriber Ubuntu Bugs |
| 2008-09-28 16:20:40 |
Kees Cook |
glibc: status |
New |
In Progress |
|
| 2008-09-28 16:20:40 |
Kees Cook |
glibc: assignee |
|
kees |
|
| 2008-09-28 16:20:40 |
Kees Cook |
glibc: importance |
Undecided |
High |
|
| 2008-09-28 16:20:40 |
Kees Cook |
glibc: statusexplanation |
|
|
|
| 2008-09-28 16:20:40 |
Kees Cook |
glibc: milestone |
|
ubuntu-8.10-beta |
|
| 2008-09-28 16:28:38 |
Kees Cook |
bug |
|
|
added attachment 'glibc_2.8~20080505-0ubuntu7.debdiff' (glibc_2.8~20080505-0ubuntu7.debdiff) |
| 2008-09-28 16:31:19 |
Kees Cook |
bug |
|
|
added attachment 'glibc_2.8~20080505-0ubuntu7.debdiff' (glibc_2.8~20080505-0ubuntu7.debdiff) |
| 2008-09-28 16:32:09 |
Kees Cook |
glibc: status |
In Progress |
Fix Committed |
|
| 2008-09-29 09:19:22 |
Launchpad Janitor |
glibc: status |
Fix Committed |
Fix Released |
|
| 2009-07-29 14:17:26 |
Kees Cook |
bug task added |
|
glibc (Ubuntu Dapper) |
|
| 2009-07-29 14:17:26 |
Kees Cook |
bug task added |
|
glibc (Ubuntu Hardy) |
|
| 2009-07-29 14:17:41 |
Kees Cook |
glibc (Ubuntu Dapper): status |
New |
Triaged |
|
| 2009-07-29 14:17:46 |
Kees Cook |
glibc (Ubuntu Hardy): status |
New |
Triaged |
|
| 2009-07-30 06:06:34 |
Kees Cook |
glibc (Ubuntu Dapper): status |
Triaged |
Won't Fix |
|
| 2009-07-30 06:52:44 |
Kees Cook |
glibc (Ubuntu Hardy): status |
Triaged |
In Progress |
|
| 2009-07-30 06:53:04 |
Kees Cook |
glibc (Ubuntu Hardy): importance |
Undecided |
Medium |
|
| 2009-07-30 06:53:04 |
Kees Cook |
glibc (Ubuntu Hardy): assignee |
|
Kees Cook (kees) |
|
| 2009-07-30 08:15:21 |
Kees Cook |
attachment added |
|
glibc_2.7-10ubuntu5.debdiff http://launchpadlibrarian.net/29706841/glibc_2.7-10ubuntu5.debdiff |
|
| 2009-08-12 23:11:37 |
Kees Cook |
description |
glibc's SSP implementation is using only the static 0xff0a0000 guard value. Fedora has been carrying an unupstreamed glibc patch for 3 years to make this relatively random.
(see _dl_setup_stack_chk_guard):
http://cvs.fedora.redhat.com/viewvc/devel/glibc/glibc-fedora.patch?revision=1.283&view=markup |
glibc's SSP implementation is using only the static 0xff0a0000 guard value. Fedora has been carrying an unupstreamed glibc patch for 3 years to make this relatively random.
(see _dl_setup_stack_chk_guard):
http://cvs.fedora.redhat.com/viewvc/devel/glibc/glibc-fedora.patch?revision=1.283&view=markup
TEST CASE:
bzr branch lp:~ubuntu-bugcontrol/qa-regression-testing/master qa-regression-testing
cd qa-regression-testing/scripts
sudo apt-get install lsb-release build-essential
./test-glibc-security.py -v
EXPECTED:
Build helper tools ... (8.04) ok
glibc heap protection ... ok
sprintf not pre-truncated with -D_FORTIFY_SOURCE=2 ... (skipped: Hardy known broken) ok
glibc pointer obfuscation ... ok
Password hashes ... (md5) ok
Stack guard exists ... ok
Stack guard leads with zero byte ... ok
Stack guard is randomized ... ok
CURRENTLY:
Stack guard is randomized ... FAIL
======================================================================
FAIL: Stack guard is randomized
----------------------------------------------------------------------
Traceback (most recent call last):
File "./test-glibc-security.py", line 199, in test_82_stack_guard_randomized
self.assertEqual(one != two and one != three and two != three, expected, one + two + three)
AssertionError: 0xff0a0000
0xff0a0000
0xff0a0000
|
|
| 2009-08-12 23:15:32 |
Kees Cook |
description |
glibc's SSP implementation is using only the static 0xff0a0000 guard value. Fedora has been carrying an unupstreamed glibc patch for 3 years to make this relatively random.
(see _dl_setup_stack_chk_guard):
http://cvs.fedora.redhat.com/viewvc/devel/glibc/glibc-fedora.patch?revision=1.283&view=markup
TEST CASE:
bzr branch lp:~ubuntu-bugcontrol/qa-regression-testing/master qa-regression-testing
cd qa-regression-testing/scripts
sudo apt-get install lsb-release build-essential
./test-glibc-security.py -v
EXPECTED:
Build helper tools ... (8.04) ok
glibc heap protection ... ok
sprintf not pre-truncated with -D_FORTIFY_SOURCE=2 ... (skipped: Hardy known broken) ok
glibc pointer obfuscation ... ok
Password hashes ... (md5) ok
Stack guard exists ... ok
Stack guard leads with zero byte ... ok
Stack guard is randomized ... ok
CURRENTLY:
Stack guard is randomized ... FAIL
======================================================================
FAIL: Stack guard is randomized
----------------------------------------------------------------------
Traceback (most recent call last):
File "./test-glibc-security.py", line 199, in test_82_stack_guard_randomized
self.assertEqual(one != two and one != three and two != three, expected, one + two + three)
AssertionError: 0xff0a0000
0xff0a0000
0xff0a0000
|
glibc's SSP implementation is using only the static 0xff0a0000 guard value. Fedora has been carrying an unupstreamed glibc patch for 3 years to make this relatively random.
(see _dl_setup_stack_chk_guard):
http://cvs.fedora.redhat.com/viewvc/devel/glibc/glibc-fedora.patch?revision=1.283&view=markup
statement explaining the impact: stack overflow attacks are easier to launch when the stack guard is a known value.
how the bug has been addressed: Fedora patch ported in Intrepid, Jaunty. Karmic uses AT_RANDOM.
regression potential: comparing build log output shows no differences -- all tests seem to pass:
https://edge.launchpad.net/~kees/+archive/ppa/+build/1159081
TEST CASE:
bzr branch lp:~ubuntu-bugcontrol/qa-regression-testing/master qa-regression-testing
cd qa-regression-testing/scripts
sudo apt-get install lsb-release build-essential
./test-glibc-security.py -v
EXPECTED:
Build helper tools ... (8.04) ok
glibc heap protection ... ok
sprintf not pre-truncated with -D_FORTIFY_SOURCE=2 ... (skipped: Hardy known broken) ok
glibc pointer obfuscation ... ok
Password hashes ... (md5) ok
Stack guard exists ... ok
Stack guard leads with zero byte ... ok
Stack guard is randomized ... ok
CURRENTLY:
Stack guard is randomized ... FAIL
======================================================================
FAIL: Stack guard is randomized
----------------------------------------------------------------------
Traceback (most recent call last):
File "./test-glibc-security.py", line 199, in test_82_stack_guard_randomized
self.assertEqual(one != two and one != three and two != three, expected, one + two + three)
AssertionError: 0xff0a0000
0xff0a0000
0xff0a0000
|
|
| 2009-08-17 23:14:14 |
Steve Langasek |
glibc (Ubuntu Hardy): status |
In Progress |
Fix Committed |
|
| 2009-08-17 23:14:21 |
Steve Langasek |
tags |
|
verification-needed |
|
| 2009-08-19 23:19:03 |
Brian Murray |
tags |
verification-needed |
verification-done |
|
| 2009-08-29 20:17:09 |
Launchpad Janitor |
glibc (Ubuntu Hardy): status |
Fix Committed |
Fix Released |
|
| 2010-02-22 22:15:23 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/hardy-proposed/glibc |
|
| 2010-02-22 22:18:16 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/intrepid/glibc |
|
