Debian users: don't upgrade to glibc 2.3.4, take action

a forum for discussing usability issues, general maintenance, and general support for a grsecurity-enabled system.

Moderators: spender, PaX Team

Debian users: don't upgrade to glibc 2.3.4, take action

Postby spender » Thu Mar 24, 2005 10:35 am

Upgrading to glibc 2.3.4 on a Debian system will make your system nearly unusable. Due to RedHat's fundamentally flawed PT_GNU_STACK implementation, many packages have their libraries marked as needing executable stacks, when such executable stacks are not needed. I've filed bug reports with Debian, but they are not taking the issue seriously. Here's one of their replies:

> What do you propose be done then until all the apps in this list (and
> more) are fixed:
>
>https://www.redhat.com/archives/fedora-devel-list/2005-March/msg00459.html

That's not much of a list; I'm not overly concerned.

> I don't know how Debian handles large issues like this, but this is
> something every package maintainer needs to be aware of quickly.
> If Debian doesn't act soon, they'll be releasing many advisories of this
> type:
> http://www.linuxcompatible.org/story41890.html
> and be getting many complaints from PaX users because their system is
> now unusable.

Guess what? Debian does not support PaX.


I urge everyone to contact Debian and make them take this issue seriously, otherwise your systems will soon become unusable.

-Brad
Last edited by spender on Thu Dec 29, 2005 8:02 pm, edited 1 time in total.
spender
 
Posts: 1950
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Lack of Pax support must be a misunderstanding

Postby Pesky Taco » Fri Apr 29, 2005 11:49 pm

Lack of Pax support must be a misunderstanding.
The reason I suggest this is here are supported packages in Sarge (testing)
http://packages.debian.org/testing/admin/paxctl
http://packages.debian.org/testing/devel/paxtest

I did not find your archived bug in the following url,
http://bugs.debian.org/cgi-bin/pkgrepor ... rchive=yes
So I must trust you most likley stated "pax" when to Debian the package is
named, kernel-patch-grsecurity2.

Perhaps if you try again with the new information, they will be more helpful.
Or ask for the following maintainer "Javier Fernández-Sanguino Peña" he has been great to work with.

I would like to see this issue resolved also. As I am very intersted in applying grsecurity to my Debain Kernel.
Yum, Fish Tacos
Pesky Taco
 
Posts: 8
Joined: Mon Oct 18, 2004 1:52 pm

WTF is mikeeusa's reply???

Postby Pesky Taco » Tue May 03, 2005 12:06 am

WTF is mikeeusa's reply have to do with grsecurity?
If you has going to act like an asshole, at least post in the "I am an asshole" thread.
Yum, Fish Tacos
Pesky Taco
 
Posts: 8
Joined: Mon Oct 18, 2004 1:52 pm

Re: WTF is mikeeusa's reply???

Postby Pesky Taco » Sat May 14, 2005 12:37 am

A good Slashdotting does seem to grab attention and realign thinking.
Pesky Taco
 
Posts: 8
Joined: Mon Oct 18, 2004 1:52 pm

Postby Pesky Taco » Sat May 14, 2005 8:30 am

>Have the deb people contacted you back?

When I submitted problems with PAM .conf flies they did contacted me
and asked me to confirm the problems were fixed with the latest update. Hence the name I submitted previously was a Debian maintainer who I know would not just blow off security issues. I submitted the name so spender could have a direct Debian contact. Since spender has first hand knowledge of the problem and I am only reading the second hand his version of the story, I figured spender should resubmit the information. Then what ever reply he get's should be posted here. This way if it is submitted to /. then at least it has been well documented. If it is not documented well, you will have a bunch of posts that state "nothing to see here, move along". A good faith effort produces a better /.ing.
Yum, Fish Tacos
Pesky Taco
 
Posts: 8
Joined: Mon Oct 18, 2004 1:52 pm

Problem with slack 10.1

Postby ringwraith » Tue May 24, 2005 11:05 am

This same problem exists in slackware 10.1. I was quite amazed after I had patched the kernel, rebooted, and come to find out that the more command refuses to work. There was mentioning somewhere (i think in the redhat lists, i cannot find it now??) there is a utility to disable this? Would there be any possible way to make a work around in grsec to allow this flawed implementation to work, hopefully giving it some extra security in the process? I know thats bloat, but it could be a nice grsecurity module.
ringwraith
 
Posts: 1
Joined: Tue May 24, 2005 10:59 am

Postby Pesky Taco » Sun Jun 26, 2005 6:29 pm

[/quote]Was the problem fixed?[/quote]
Yes
Yum, Fish Tacos
Pesky Taco
 
Posts: 8
Joined: Mon Oct 18, 2004 1:52 pm

can't find any fixes :(

Postby nerdpunk » Tue Aug 16, 2005 10:36 am

libc6-2.3.5 has arrived unstable some days ago... still broken...
but there's a deb-repository with a fixed glibc and other fixed packages...
deb http://debian.linux-systeme.com unstable main
(it's from the maintainer of the 2.2 kernel series, i guess :)
nerdpunk
 
Posts: 5
Joined: Tue Aug 16, 2005 10:31 am

Postby rs » Tue Aug 23, 2005 9:19 am

Please, could somebody tell us here when an official Debian fixed libc6 is available? Anybody following the issue at Debian tracker?

Thanks in advance.
rs
 
Posts: 15
Joined: Thu Mar 31, 2005 6:48 pm

Postby Hue-Bond » Tue Sep 06, 2005 8:44 am

I'm running fine with libc6-2.3.5. You can too, *but* only after chpax'ing -m all binaries ;). Or sticking an "M" in the subject flags for all subjects, which is about the same. Just a quick workaround while I think about switching distros...
Hue-Bond
 
Posts: 34
Joined: Mon Dec 13, 2004 4:31 pm

Postby msw » Sun Sep 25, 2005 4:53 pm

i use libc6 2.3.5 now, i didnt notice any problems... the system behaves as before... i activated nearly all of the PAX features.
msw
 
Posts: 8
Joined: Sat Sep 20, 2003 9:36 pm

Postby Melt_Down » Sun Sep 25, 2005 5:53 pm

Is the issue fixed now in the official debian (testing) glibc package?
Melt_Down
 
Posts: 1
Joined: Sun Sep 25, 2005 5:51 pm

Postby kirk22 » Sun Oct 09, 2005 8:52 pm

the problem was fixed in debian's glibc 2.3.5-4, look:

http://packages.qa.debian.org/g/glibc/news/3.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=321718

On Monday 08 August 2005 16:52, Daniel Jacobowitz wrote:

> > I'd suggest to rebuild all required packages (libraries) with
> > CFLAGS -Wa,--noexecstack so that assembled modules get tagged
> > as not needing executable stacks.
> >
> > I've rebuilt some packages (liblzo1, openssl, libgdbm3, libelfg0,
> > libgcrypt11 and so on) with those flags. For everyone who's
> > interested: http://debian.linux-systeme.com/
>
> Absolutely not. Either the package needs an executable stack - in
> which case this is, simply, wrong - or else it doesn't and whatever is
> causing it to be tagged as needing one should be fixed. IIRC it is
> usually a matter of annotating assembly files in some way.

well, so I've uploaded a glibc 2.3.5 package with PaX support.

ciao, Marc
kirk22
 
Posts: 2
Joined: Sun Oct 09, 2005 8:48 pm

Postby PaX Team » Mon Oct 10, 2005 5:36 am

no it wasn't, that's another problem that Red Hat's careless GNU_STACK implementation caused. Marc fixed the PaX related problem in his own packages, it is not in debian officially, and judging from the discussion, it won't be.
PaX Team
 
Posts: 1897
Joined: Mon Mar 18, 2002 4:35 pm

Postby kirk22 » Mon Oct 10, 2005 10:33 am

PaX Team wrote:no it wasn't, that's another problem that Red Hat's careless GNU_STACK implementation caused. Marc fixed the PaX related problem in his own packages, it is not in debian officially, and judging from the discussion, it won't be.


sorry for claiming that it was fixed - i didn't follow the discussion carefully enough.

can we do anything else about it? (should we start a discussion on debian's mailinglist's? http://lists.debian.org/debian-glibc/ or http://lists.debian.org/debian-security/)

what do the glibc people think about it? (i assume this problem does not only affect debian but also everyone else using glibc 2.3.4,2.3.5,...?)
kirk22
 
Posts: 2
Joined: Sun Oct 09, 2005 8:48 pm

Next

Return to grsecurity support