From patchwork Wed Jul 31 18:09:28 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 263785 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 7BE942C00A8 for ; Thu, 1 Aug 2013 04:15:21 +1000 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1V4avF-0007vc-Nq; Wed, 31 Jul 2013 18:14:53 +0000 Received: from mail-wi0-f172.google.com ([209.85.212.172]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1V4aqC-0007X5-1b for kernel-team@lists.ubuntu.com; Wed, 31 Jul 2013 18:09:40 +0000 Received: by mail-wi0-f172.google.com with SMTP id hj13so3702382wib.11 for ; Wed, 31 Jul 2013 11:09:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references :x-gm-message-state; bh=XSLeIoqkKn1nlxzVYXV8Sv+N83MMyAabPBcGhQIS6ug=; b=nIUTQy2zDWB9Fm8uX1O9UMo5P6GJXegektC87Q0lJHcn7twMQrEME4kO0HSBrXqfjx q0t8U1iWVjmxvD2R/YiKBJIuQxTVeRY/adG9rNJ1yJrIs4+DZnT9WT5LSShf0tJ9wSD6 3DocRQZ39g087CpXWvnM7uYfVeAbkA49Z82Tk4du8HlfbqNvMCivhA5GZqe7FyPp/III TJk1/wlnZqRJDjQxdJ1xcm1H9mavxnwMw92AB2dO04v8LZ4joUgnqd8ZPX4Mi4g/Zuv+ RBRS8PRZUClWU0Xu9zxohCp+xBRJacXdJPmfib8fOlwaPQ9S2PQGWswhmeRnLqAa4LN3 m+uQ== X-Received: by 10.194.7.137 with SMTP id j9mr1650861wja.11.1375294179092; Wed, 31 Jul 2013 11:09:39 -0700 (PDT) Received: from localhost ([2001:470:6973:2:221:70ff:fe81:b177]) by mx.google.com with ESMTPSA id z2sm3985842wiv.11.2013.07.31.11.09.37 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Wed, 31 Jul 2013 11:09:38 -0700 (PDT) From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [quantal CVE 1/1] UBUNTU: [Packaging] supply perf with appropriate prefix to ensure use of local config Date: Wed, 31 Jul 2013 19:09:28 +0100 Message-Id: <1375294169-9567-4-git-send-email-apw@canonical.com> X-Mailer: git-send-email 1.8.1.2 In-Reply-To: <1375294169-9567-1-git-send-email-apw@canonical.com> References: <1375294169-9567-1-git-send-email-apw@canonical.com> X-Gm-Message-State: ALoCoQkpB2hgIQiOVeeRj0TtsoTvgXVobAt5T8a4xfXBpMnkFxFu6Hd2VAEz9Nv2xTa42xd4955m Cc: Andy Whitcroft X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com If we do not supply an installation prefix when we are building perf it will assume it is designed to run relative to the builders HOME. This means that as built on a buildd we will check for the system configuration relative to the buildd users home rather than in /etc. This implies a local user could use this to compromise other users _if_ there is a buildd user installed on the system and they have access to it. CVE-2013-1060 BugLink: http://bugs.launchpad.net/bugs/1206200 Signed-off-by: Andy Whitcroft --- debian/rules.d/2-binary-arch.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk index 23367bb..7a04bcb 100644 --- a/debian/rules.d/2-binary-arch.mk +++ b/debian/rules.d/2-binary-arch.mk @@ -440,7 +440,7 @@ $(stampdir)/stamp-build-perarch: $(stampdir)/stamp-prepare-perarch @echo Debug: $@ ifeq ($(do_tools),true) cd $(builddirpa)/tools/perf && \ - make HAVE_CPLUS_DEMANGLE=1 CROSS_COMPILE=$(CROSS_COMPILE) + make prefix=/usr HAVE_CPLUS_DEMANGLE=1 CROSS_COMPILE=$(CROSS_COMPILE) if [ "$(arch)" = "amd64" ] || [ "$(arch)" = "i386" ]; then \ cd $(builddirpa)/tools/power/x86/x86_energy_perf_policy && make CROSS_COMPILE=$(CROSS_COMPILE); \ cd $(builddirpa)/tools/power/x86/turbostat && make CROSS_COMPILE=$(CROSS_COMPILE); \