[raring,CVE,1/1] UBUNTU: [Packaging] supply perf with appropriate prefix to ensure use of local config
diff mbox

Message ID 1375294169-9567-5-git-send-email-apw@canonical.com
State New
Headers show

Commit Message

Andy Whitcroft July 31, 2013, 6:09 p.m. UTC
If we do not supply an installation prefix when we are building perf
it will assume it is designed to run relative to the builders HOME.
This means that as built on a buildd we will check for the system
configuration relative to the buildd users home rather than in /etc.
This implies a local user could use this to compromise other users _if_
there is a buildd user installed on the system and they have access to it.

CVE-2013-1060
BugLink: http://bugs.launchpad.net/bugs/1206200
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 debian/rules.d/2-binary-arch.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Brad Figg Aug. 1, 2013, 7:33 a.m. UTC | #1
On 07/31/2013 07:09 PM, Andy Whitcroft wrote:
> If we do not supply an installation prefix when we are building perf
> it will assume it is designed to run relative to the builders HOME.
> This means that as built on a buildd we will check for the system
> configuration relative to the buildd users home rather than in /etc.
> This implies a local user could use this to compromise other users _if_
> there is a buildd user installed on the system and they have access to it.
>
> CVE-2013-1060
> BugLink: http://bugs.launchpad.net/bugs/1206200
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>   debian/rules.d/2-binary-arch.mk | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
> index 45dd4cc..c593ef2 100644
> --- a/debian/rules.d/2-binary-arch.mk
> +++ b/debian/rules.d/2-binary-arch.mk
> @@ -455,7 +455,7 @@ $(stampdir)/stamp-build-perarch: $(stampdir)/stamp-prepare-perarch
>   ifeq ($(do_tools),true)
>   ifeq ($(do_tools_perf),true)
>   	cd $(builddirpa)/tools/perf && \
> -		make HAVE_CPLUS_DEMANGLE=1 CROSS_COMPILE=$(CROSS_COMPILE) NO_LIBPYTHON=1 NO_LIBPERL=1
> +		make prefix=/usr HAVE_CPLUS_DEMANGLE=1 CROSS_COMPILE=$(CROSS_COMPILE) NO_LIBPYTHON=1 NO_LIBPERL=1
>   endif
>   	if [ "$(arch)" = "amd64" ] || [ "$(arch)" = "i386" ]; then \
>   		cd $(builddirpa)/tools/power/x86/x86_energy_perf_policy && make CROSS_COMPILE=$(CROSS_COMPILE); \
>
Tim Gardner Aug. 1, 2013, 9 a.m. UTC | #2

Patch
diff mbox

diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index 45dd4cc..c593ef2 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -455,7 +455,7 @@  $(stampdir)/stamp-build-perarch: $(stampdir)/stamp-prepare-perarch
 ifeq ($(do_tools),true)
 ifeq ($(do_tools_perf),true)
 	cd $(builddirpa)/tools/perf && \
-		make HAVE_CPLUS_DEMANGLE=1 CROSS_COMPILE=$(CROSS_COMPILE) NO_LIBPYTHON=1 NO_LIBPERL=1
+		make prefix=/usr HAVE_CPLUS_DEMANGLE=1 CROSS_COMPILE=$(CROSS_COMPILE) NO_LIBPYTHON=1 NO_LIBPERL=1
 endif
 	if [ "$(arch)" = "amd64" ] || [ "$(arch)" = "i386" ]; then \
 		cd $(builddirpa)/tools/power/x86/x86_energy_perf_policy && make CROSS_COMPILE=$(CROSS_COMPILE); \