All,
Please excuse any ignorance in this e-mail as I am not a RH/CentOS/Fedora user
and may
blunder my way through the correct terminology for my request.
I'm tasked with reconstructing the CentOS version of the GlibC library for
testing with
gethostbyname().  My mission is to show that we are not affected by the latest
exploit for
the product we are shipping targeted for RHEL and CentOS.  To do so, I want to
equip
gethostbyname() with additional code.
My objective is to rebuild from source the EXACT version of GlibC for CentOS
6.6.
Afterwards, I will make my changes in the code, rebuild and complete my testing.
libc.so.6 reports:
GNU C Library stable release version 2.12, by Roland McGrath et al.
Copyright (C) 2010 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 4.4.7 20120313 (Red Hat 4.4.7-11).
Compiled on a Linux 2.6.32 system on 2015-01-27.
Available extensions:
        The C stubs add-on version 2.1.2.
        crypt add-on version 2.1 by Michael Glad and others
        GNU Libidn by Simon Josefsson
        Native POSIX Threads Library by Ulrich Drepper et al
        BIND-8.2.3-T5B
        RT using linux kernel aio
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<http://www.gnu.org/software/libc/bugs.html>.
But, when looking through the source code for this version on the CentOS servers
I only see:
<http://vault.centos.org/6.6/updates/Source/SPackages/>
[ ]	glibc-2.12-1.149.el6_6.4.src.rpm	07-Jan-2015 22:45 	15M	 
[ ]	glibc-2.12-1.149.el6_6.5.src.rpm	27-Jan-2015 23:13 	15M	 
Please point me to the correct source tarball, and all required patches so that
I can
reconstruct my loaded version of GlibC.  A yum command is also acceptable.
Thanks,
Andy
On Fri, Feb 27, 2015 at 06:49:23PM +0000, ANDY KENNEDY wrote:> But, when looking through the source code for this version on the CentOS servers I only see: > <http://vault.centos.org/6.6/updates/Source/SPackages/> > [ ] glibc-2.12-1.149.el6_6.5.src.rpm 27-Jan-2015 23:13 15MThis is the latest version for a fully patched CentOS 6 system. % rpm -q glibc glibc-2.12-1.149.el6_6.5.x86_64 glibc-2.12-1.149.el6_6.5.i686 -- rgds Stephen
On 27 February 2015 at 13:49, ANDY KENNEDY <ANDY.KENNEDY at adtran.com> wrote:> All, > > Please excuse any ignorance in this e-mail as I am not a RH/CentOS/Fedora > user and may > blunder my way through the correct terminology for my request. > > I'm tasked with reconstructing the CentOS version of the GlibC library for > testing with > gethostbyname(). My mission is to show that we are not affected by the > latest exploit for > the product we are shipping targeted for RHEL and CentOS. To do so, I > want to equip > gethostbyname() with additional code. > > My objective is to rebuild from source the EXACT version of GlibC for > CentOS 6.6. > Afterwards, I will make my changes in the code, rebuild and complete my > testing. > > libc.so.6 reports: > GNU C Library stable release version 2.12, by Roland McGrath et al. > Copyright (C) 2010 Free Software Foundation, Inc. > This is free software; see the source for copying conditions. > There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A > PARTICULAR PURPOSE. > Compiled by GNU CC version 4.4.7 20120313 (Red Hat 4.4.7-11). > Compiled on a Linux 2.6.32 system on 2015-01-27. > Available extensions: > The C stubs add-on version 2.1.2. > crypt add-on version 2.1 by Michael Glad and others > GNU Libidn by Simon Josefsson > Native POSIX Threads Library by Ulrich Drepper et al > BIND-8.2.3-T5B > RT using linux kernel aio > libc ABIs: UNIQUE IFUNC > For bug reporting instructions, please see: > <http://www.gnu.org/software/libc/bugs.html>. > > But, when looking through the source code for this version on the CentOS > servers I only see: > <http://vault.centos.org/6.6/updates/Source/SPackages/> > [ ] glibc-2.12-1.149.el6_6.4.src.rpm 07-Jan-2015 22:45 15M > [ ] glibc-2.12-1.149.el6_6.5.src.rpm 27-Jan-2015 23:13 15M > > Please point me to the correct source tarball, and all required patches so > that I can > reconstruct my loaded version of GlibC. A yum command is also acceptable. > > Thanks, > Andy > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >Hi Andy, You can use yumdownloader to download the source $ yumdownloader --source glibc $ rpm -ivh <package.src.rpm> This will give you all the relevant files required for building the package. -- Kind Regards Earl Ramirez
On Fri, 27 Feb 2015 18:49:23 +0000 ANDY KENNEDY wrote:> Compiled on a Linux 2.6.32 system on 2015-01-27.>glibc-2.12-1.149.el6_6.5.src.rpm 27-Jan-2015 23:13 15MThe date on that rpm matches the compiled on date that you posted. -- MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com
On 02/27/2015 12:49 PM, ANDY KENNEDY wrote:> All, > > Please excuse any ignorance in this e-mail as I am not a RH/CentOS/Fedora user and may > blunder my way through the correct terminology for my request.No problem.> I'm tasked with reconstructing the CentOS version of the GlibC library for testing with > gethostbyname(). My mission is to show that we are not affected by the latest exploit for > the product we are shipping targeted for RHEL and CentOS. To do so, I want to equip > gethostbyname() with additional code.Do you plan on shipping this updated glibc as part of the product, or is this simply for testing? If you plan to distribute/ship an updated glibc, that's probably going to raise a few eyebrows and anger a few sysadmins.> My objective is to rebuild from source the EXACT version of GlibC for CentOS 6.6. > Afterwards, I will make my changes in the code, rebuild and complete my testing. > > libc.so.6 reports: > GNU C Library stable release version 2.12, by Roland McGrath et al. > Copyright (C) 2010 Free Software Foundation, Inc. > This is free software; see the source for copying conditions. > There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A > PARTICULAR PURPOSE. > Compiled by GNU CC version 4.4.7 20120313 (Red Hat 4.4.7-11). > Compiled on a Linux 2.6.32 system on 2015-01-27. > Available extensions: > The C stubs add-on version 2.1.2. > crypt add-on version 2.1 by Michael Glad and others > GNU Libidn by Simon Josefsson > Native POSIX Threads Library by Ulrich Drepper et al > BIND-8.2.3-T5B > RT using linux kernel aio > libc ABIs: UNIQUE IFUNC > For bug reporting instructions, please see: > <http://www.gnu.org/software/libc/bugs.html>. > > But, when looking through the source code for this version on the CentOS servers I only see: > <http://vault.centos.org/6.6/updates/Source/SPackages/> > [ ] glibc-2.12-1.149.el6_6.4.src.rpm 07-Jan-2015 22:45 15M > [ ] glibc-2.12-1.149.el6_6.5.src.rpm 27-Jan-2015 23:13 15M > > Please point me to the correct source tarball, and all required patches so that I can > reconstruct my loaded version of GlibC. A yum command is also acceptable.Those src.rpms contain the source and the patches. You may want to read over http://wiki.centos.org/HowTos/RebuildSRPM for info. -- Jim Perrin The CentOS Project | http://www.centos.org twitter: @BitIntegrity | GPG Key: FA09AD77
On 28 February 2015 at 05:49, ANDY KENNEDY <ANDY.KENNEDY at adtran.com> wrote:> I'm tasked with reconstructing the CentOS version of the GlibC library for > testing with > gethostbyname(). My mission is to show that we are not affected by the > latest exploit for > the product we are shipping targeted for RHEL and CentOS. To do so, I > want to equip > gethostbyname() with additional code. >?I may be way out of line here, haven't had much coffee yet, but I wonder if systemtap could be used to achieve your goals less intrusively??
> > I'm tasked with reconstructing the CentOS version of the GlibC library for testing with > > gethostbyname(). My mission is to show that we are not affected by the latest exploit for > > the product we are shipping targeted for RHEL and CentOS. To do so, I want to equip > > gethostbyname() with additional code. > > Do you plan on shipping this updated glibc as part of the product, or is > this simply for testing? If you plan to distribute/ship an updated > glibc, that's probably going to raise a few eyebrows and anger a few > sysadmins.No release. Only testing.> > > My objective is to rebuild from source the EXACT version of GlibC for CentOS 6.6. > > Afterwards, I will make my changes in the code, rebuild and complete my testing. > > > > libc.so.6 reports: > > GNU C Library stable release version 2.12, by Roland McGrath et al. > > Copyright (C) 2010 Free Software Foundation, Inc. > > This is free software; see the source for copying conditions. > > There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A > > PARTICULAR PURPOSE. > > Compiled by GNU CC version 4.4.7 20120313 (Red Hat 4.4.7-11). > > Compiled on a Linux 2.6.32 system on 2015-01-27. > > Available extensions: > > The C stubs add-on version 2.1.2. > > crypt add-on version 2.1 by Michael Glad and others > > GNU Libidn by Simon Josefsson > > Native POSIX Threads Library by Ulrich Drepper et al > > BIND-8.2.3-T5B > > RT using linux kernel aio > > libc ABIs: UNIQUE IFUNC > > For bug reporting instructions, please see: > > <http://www.gnu.org/software/libc/bugs.html>. > > > > But, when looking through the source code for this version on the CentOS servers I only see: > > <http://vault.centos.org/6.6/updates/Source/SPackages/> > > [ ] glibc-2.12-1.149.el6_6.4.src.rpm 07-Jan-2015 22:45 15M > > [ ] glibc-2.12-1.149.el6_6.5.src.rpm 27-Jan-2015 23:13 15M > > > > Please point me to the correct source tarball, and all required patches so that I can > > reconstruct my loaded version of GlibC. A yum command is also acceptable. > > Those src.rpms contain the source and the patches. You may want to read > over http://wiki.centos.org/HowTos/RebuildSRPM for info.Great! Thank you Jim Perrin, Frank Cox, Earl A Ramirez and Stphen Harris for your responses. Andy
> On 28 February 2015 at 05:49, ANDY KENNEDY <ANDY.KENNEDY at adtran.com> wrote: > > > I'm tasked with reconstructing the CentOS version of the GlibC library for > > testing with > > gethostbyname(). My mission is to show that we are not affected by the > > latest exploit for > > the product we are shipping targeted for RHEL and CentOS. To do so, I > > want to equip > > gethostbyname() with additional code. > > > > ?I may be way out of line here, haven't had much coffee yet, but I wonder > if systemtap could be used to achieve your goals less intrusively??Already knowing how to build GlibC, I think that may take less of my time than attempting to figure out how to use systemtap. But, you better believe that I'll keep that in mind ::throws in toolbox:: for later. This one I need to be as fast as possible on. Thanks for the info! Andy