Brutal vulnerability in glibc. FreeBSD is OK, right?

[jb82]

Hi,

just curious whether this glibc vulnerability which has been there for almost 2 years affects FreeBSD in any way.

Glibc Dynamic Loader Hit By A Nasty Local Privilege Escalation Vulnerability - Phoronix

www.phoronix.com

 

[SirDice]

just curious whether this glibc vulnerability which has been there for almost 2 years affects FreeBSD in any way.

FreeBSD has its own implementation of libc, so there's no glibc here. Thus, a glibc specific issue doesn't affect us.

That said, I do wonder about Linux_base. Because that does have a glibc. And this could potentially be leveraged to gain more privileges.

 

[SirDice]

Alright, I think it'll be fine. Red Hat Enterprise 7 (on which CentOS 7 is based) isn't affected. So emulators/linux_base-c7 should be safe.

cve-details

 

[cracauer@]

Hm. Time for a new Ubuntu /compat base with Linux-chrome...

 

[Crivens]

Hm. Time for a new Ubuntu /compat base with Linux-chrome...

... and we wonder why the weather is too hot for this time of the year. We are downwind from your build cluster

 

[cracauer@]

I wonder whether it makes sense to just kill all suid bits inside /compat/*. I don't see why I would need them. That would disable this particular issue.

 

[zirias@]

Hm. Time for a new Ubuntu /compat base with Linux-chrome...

Or someone help me move this forward: https://github.com/Zirias/freebsd-ports-overlay-linuxsrc ? (Disclaimer: I'm still not sure myself it's a good idea...)

I paused working on it after realizing I'll probably need rust for Linuxulator to move forward

 

[cracauer@]

Another idea I had is a sysctl that allows you to turn off setui in /compact. That would help here and as I said currently I don't see why I need setuid binaries in /compact.

 

[BaronBS]

Alright, I think it'll be fine. Red Hat Enterprise 7 (on which CentOS 7 is based) isn't affected. So emulators/linux_base-c7 should be safe.

cve-details

Is there a plan on what we are going to do with linux compatibility layer when C7 became too old? Do you know if Ubuntu will be the new default?

 

[cracauer@]

Is there a plan on what we are going to do with linux compatibility layer when C7 became too old? Do you know if Ubuntu will be the new default?

That would kill the "liked by big vendors support" option.

Maybe it should be Rocky Linux.

 

[jb82]

That would kill the "liked by big vendors support" option.

Maybe it should be Rocky Linux.

Please, no Ubuntu. +1 for Rocky Linux though!

 

[Crivens]

Another idea I had is a sysctl that allows you to turn off setui in /compact. That would help here and as I said currently I don't see why I need setuid binaries in /compact.

Maybe generalize the "nosuid" and other features from mountpoints to maybe any directory to kill bits on the files/directories under it?
That way we not only could lock down /compat, but more places as well.

 

[cracauer@]

Maybe generalize the "nosuid" and other features from mountpoints to maybe any directory to kill bits on the files/directories under it?
That way we not only could lock down /compat, but more places as well.

Yeah, I discussed this at work and maybe it is better to not do this on a filesystem level at all but lock down all compat functionality, including e.g. 32-bit FreeBSD binaries on 64 bit systems. Who needs those to be setuid?

 

[Crivens]

Yeah, I discussed this at work and maybe it is better to not do this on a filesystem level at all but lock down all compat functionality, including e.g. 32-bit FreeBSD binaries on 64 bit systems. Who needs those to be setuid?

I would like an evaluation if it would be better to do a white list feature here. Mark directories which are allowed to contain setuid/setgid binaries and block all the rest. Is there a reason we need to allow this feature all around the place?

 

[shkhln]

Alright, I think it'll be fine. Red Hat Enterprise 7 (on which CentOS 7 is based) isn't affected. So emulators/linux_base-c7 should be safe.

cve-details

I don't see suid binaries in my /compat/linux/bin. Are there any?

 

[cracauer@]

I don't see any suid binaries in my /compat/linux/bin. Are there any?

/sbin/?

 

[shkhln]

Who needs those to be setuid?

Linux jails might need this. Never bothered with them, though.

/sbin/?

Still nothing.

 

[cracauer@]

/usr/bin/sudo would be a setuid example on my machine.

I am not sure why /bin/login doesn't have the setuid bit set, probably some systemd scheenegans.

 

[shkhln]

We don't have Linux sudo packaged for obvious reasons.