Patchwork [raring,CVE,1/1] UBUNTU: [Packaging] supply perf with appropriate prefix to ensure use of local config

login
register
mail settings
Submitter Andy Whitcroft
Date July 31, 2013, 6:09 p.m.
Message ID <1375294169-9567-5-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/263786/
State New
Headers show

Comments

Andy Whitcroft - July 31, 2013, 6:09 p.m.
If we do not supply an installation prefix when we are building perf
it will assume it is designed to run relative to the builders HOME.
This means that as built on a buildd we will check for the system
configuration relative to the buildd users home rather than in /etc.
This implies a local user could use this to compromise other users _if_
there is a buildd user installed on the system and they have access to it.

CVE-2013-1060
BugLink: http://bugs.launchpad.net/bugs/1206200
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 debian/rules.d/2-binary-arch.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Brad Figg - Aug. 1, 2013, 7:33 a.m.
On 07/31/2013 07:09 PM, Andy Whitcroft wrote:
> If we do not supply an installation prefix when we are building perf
> it will assume it is designed to run relative to the builders HOME.
> This means that as built on a buildd we will check for the system
> configuration relative to the buildd users home rather than in /etc.
> This implies a local user could use this to compromise other users _if_
> there is a buildd user installed on the system and they have access to it.
>
> CVE-2013-1060
> BugLink: http://bugs.launchpad.net/bugs/1206200
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>   debian/rules.d/2-binary-arch.mk | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
> index 45dd4cc..c593ef2 100644
> --- a/debian/rules.d/2-binary-arch.mk
> +++ b/debian/rules.d/2-binary-arch.mk
> @@ -455,7 +455,7 @@ $(stampdir)/stamp-build-perarch: $(stampdir)/stamp-prepare-perarch
>   ifeq ($(do_tools),true)
>   ifeq ($(do_tools_perf),true)
>   	cd $(builddirpa)/tools/perf && \
> -		make HAVE_CPLUS_DEMANGLE=1 CROSS_COMPILE=$(CROSS_COMPILE) NO_LIBPYTHON=1 NO_LIBPERL=1
> +		make prefix=/usr HAVE_CPLUS_DEMANGLE=1 CROSS_COMPILE=$(CROSS_COMPILE) NO_LIBPYTHON=1 NO_LIBPERL=1
>   endif
>   	if [ "$(arch)" = "amd64" ] || [ "$(arch)" = "i386" ]; then \
>   		cd $(builddirpa)/tools/power/x86/x86_energy_perf_policy && make CROSS_COMPILE=$(CROSS_COMPILE); \
>
Tim Gardner - Aug. 1, 2013, 9 a.m.

Patch

diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index 45dd4cc..c593ef2 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -455,7 +455,7 @@  $(stampdir)/stamp-build-perarch: $(stampdir)/stamp-prepare-perarch
 ifeq ($(do_tools),true)
 ifeq ($(do_tools_perf),true)
 	cd $(builddirpa)/tools/perf && \
-		make HAVE_CPLUS_DEMANGLE=1 CROSS_COMPILE=$(CROSS_COMPILE) NO_LIBPYTHON=1 NO_LIBPERL=1
+		make prefix=/usr HAVE_CPLUS_DEMANGLE=1 CROSS_COMPILE=$(CROSS_COMPILE) NO_LIBPYTHON=1 NO_LIBPERL=1
 endif
 	if [ "$(arch)" = "amd64" ] || [ "$(arch)" = "i386" ]; then \
 		cd $(builddirpa)/tools/power/x86/x86_energy_perf_policy && make CROSS_COMPILE=$(CROSS_COMPILE); \