rpms/pulseaudio/F-11 0001-Remove-exploitable-LD_BIND_NOW-hack-CVE-2009-1894.patch, NONE, 1.1 pulseaudio.spec, 1.84, 1.85

Lennart Poettering lennart at fedoraproject.org
Tue Jul 28 20:52:34 UTC 2009 

Author: lennart

Update of /cvs/pkgs/rpms/pulseaudio/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31669

Modified Files:
	pulseaudio.spec 
Added Files:
	0001-Remove-exploitable-LD_BIND_NOW-hack-CVE-2009-1894.patch 
Log Message:
Fix bug 510071

0001-Remove-exploitable-LD_BIND_NOW-hack-CVE-2009-1894.patch:
 configure.ac      |    6 ++++++
 src/Makefile.am   |    4 ++--
 src/daemon/main.c |   23 -----------------------
 3 files changed, 8 insertions(+), 25 deletions(-)

--- NEW FILE 0001-Remove-exploitable-LD_BIND_NOW-hack-CVE-2009-1894.patch ---
>From 84200b423ebfa7e2dad9b1b65f64eac7bf3d2114 Mon Sep 17 00:00:00 2001
From: =?utf-8?q?Diego=20Elio=20'Flameeyes'=20Petten=C3=B2?= <flameeyes at gmail.com>
Date: Tue, 7 Jul 2009 20:51:53 +0200
Subject: [PATCH] Remove exploitable LD_BIND_NOW hack (CVE-2009-1894).

Instead of trying to re-execute pulseaudio itself with LD_BIND_NOW set,
just find the correct flag for the linker to request immediate bindings
(all ELF files support that option), and use that when linking the daemon.

Reduce the amount of compiled and executed code as well.
---
 configure.ac      |    6 ++++++
 src/Makefile.am   |    4 ++--
 src/daemon/main.c |   22 ----------------------
 3 files changed, 8 insertions(+), 24 deletions(-)

diff --git a/configure.ac b/configure.ac
index 9c96d1c..cc7f674 100644
--- a/configure.ac
+++ b/configure.ac
@@ -113,6 +113,12 @@ CC_CHECK_LDFLAGS([${tmp_ldflag}],
     [VERSIONING_LDFLAGS='-Wl,-version-script=$(srcdir)/map-file'])
 AC_SUBST([VERSIONING_LDFLAGS])
 
+dnl Use immediate (now) bindings; avoids the funky re-call in itself
+dnl  the -z now syntax is lifted from Sun's linker and works with GNU's too
+dnl  other linkes might be added later
+CC_CHECK_LDFLAGS([-Wl,-z,now], [IMMEDIATE_LDFLAGS="-Wl,-z,now"])
+AC_SUBST([IMMEDIATE_LDFLAGS])
+
 dnl Check for the proper way to build libraries that have no undefined
 dnl symbols; on some hosts this needs to be avoided but the macro
 dnl takes care of it.
diff --git a/src/Makefile.am b/src/Makefile.am
index 7ebf1f8..ac627c8 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -183,9 +183,9 @@ PREOPEN_LIBS = $(modlibexec_LTLIBRARIES)
 endif
 
 if FORCE_PREOPEN
-pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -dlpreopen force $(foreach f,$(PREOPEN_LIBS),-dlpreopen $(f))
+pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) $(IMMEDIATE_LDFLAGS) -dlpreopen force $(foreach f,$(PREOPEN_LIBS),-dlpreopen $(f))
 else
-pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -dlopen force $(foreach f,$(PREOPEN_LIBS),-dlopen $(f))
+pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) $(IMMEDIATE_LDFLAGS) -dlopen force $(foreach f,$(PREOPEN_LIBS),-dlopen $(f))
 endif
 
 ###################################
diff --git a/src/daemon/main.c b/src/daemon/main.c
index eb378d2..0f6fc90 100644
--- a/src/daemon/main.c
+++ b/src/daemon/main.c
@@ -401,28 +401,6 @@ int main(int argc, char *argv[]) {
     pa_log_set_level(PA_LOG_NOTICE);
     pa_log_set_flags(PA_LOG_COLORS|PA_LOG_PRINT_FILE|PA_LOG_PRINT_LEVEL, PA_LOG_RESET);
 
-#if defined(__linux__) && defined(__OPTIMIZE__)
-    /*
-       Disable lazy relocations to make usage of external libraries
-       more deterministic for our RT threads. We abuse __OPTIMIZE__ as
-       a check whether we are a debug build or not.
-    */
-
-    if (!getenv("LD_BIND_NOW")) {
-        char *rp;
-
-        /* We have to execute ourselves, because the libc caches the
-         * value of $LD_BIND_NOW on initialization. */
-
-        pa_set_env("LD_BIND_NOW", "1");
-
-        if ((rp = pa_readlink("/proc/self/exe")))
-            pa_assert_se(execv(rp, argv) == 0);
-        else
-            pa_log_warn("Couldn't read /proc/self/exe, cannot self execute. Running in a chroot()?");
-    }
-#endif
-
     if ((e = getenv("PULSE_PASSED_FD"))) {
         passed_fd = atoi(e);
 
-- 
1.6.3.3



Index: pulseaudio.spec
===================================================================
RCS file: /cvs/pkgs/rpms/pulseaudio/F-11/pulseaudio.spec,v
retrieving revision 1.84
retrieving revision 1.85
diff -u -p -r1.84 -r1.85
--- pulseaudio.spec	9 Jun 2009 17:53:35 -0000	1.84
+++ pulseaudio.spec	28 Jul 2009 20:52:33 -0000	1.85
@@ -3,7 +3,7 @@
 Name:		pulseaudio
 Summary: 	Improved Linux sound server
 Version:	0.9.15
-Release:	14%{?dist}
+Release:	15%{?dist}
 License:	GPLv2+
 Group:		System Environment/Daemons
 Source0:	http://0pointer.de/lennart/projects/pulseaudio/pulseaudio-%{version}.tar.gz
@@ -36,6 +36,7 @@ Patch25: 0001-core-cache-requested-laten
 Patch26: 0001-sample-fix-build-on-BE-archs.patch
 Patch27: 0001-alsa-properly-convert-return-values-of-snd_strerror.patch
 Patch28: 0001-alsa-remove-debug-code.patch
+Patch29: 0001-Remove-exploitable-LD_BIND_NOW-hack-CVE-2009-1894.patch
 URL:		http://pulseaudio.org
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:  m4
@@ -244,6 +245,7 @@ This package contains command line utili
 %patch26 -p1 
 %patch27 -p1 
 %patch28 -p1 
+%patch29 -p1
 
 %build
 CFLAGS="-ggdb" %configure --disable-static --disable-rpath --with-system-user=pulse --with-system-group=pulse --with-realtime-group=pulse-rt --with-access-group=pulse-access
@@ -464,6 +466,9 @@ groupadd -r pulse-access &>/dev/null || 
 %{_mandir}/man1/pax11publish.1.gz
 
 %changelog
+* Tue Jul 28 2009 Lennart Poettering <lpoetter at redhat.com> 0.9.15-15
+- Fix bug 510071
+
 * Tue Jun 9 2009 Lennart Poettering <lpoetter at redhat.com> 0.9.15-14
 - Fix mmap() related segfault
 - Closes #504750

More information about the fedora-extras-commits mailing list