> > I'm tasked with reconstructing the CentOS version of the GlibC library for testing with > > gethostbyname(). My mission is to show that we are not affected by the latest exploit for > > the product we are shipping targeted for RHEL and CentOS. To do so, I want to equip > > gethostbyname() with additional code. > > Do you plan on shipping this updated glibc as part of the product, or is > this simply for testing? If you plan to distribute/ship an updated > glibc, that's probably going to raise a few eyebrows and anger a few > sysadmins.No release. Only testing.> > > My objective is to rebuild from source the EXACT version of GlibC for CentOS 6.6. > > Afterwards, I will make my changes in the code, rebuild and complete my testing. > > > > libc.so.6 reports: > > GNU C Library stable release version 2.12, by Roland McGrath et al. > > Copyright (C) 2010 Free Software Foundation, Inc. > > This is free software; see the source for copying conditions. > > There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A > > PARTICULAR PURPOSE. > > Compiled by GNU CC version 4.4.7 20120313 (Red Hat 4.4.7-11). > > Compiled on a Linux 2.6.32 system on 2015-01-27. > > Available extensions: > > The C stubs add-on version 2.1.2. > > crypt add-on version 2.1 by Michael Glad and others > > GNU Libidn by Simon Josefsson > > Native POSIX Threads Library by Ulrich Drepper et al > > BIND-8.2.3-T5B > > RT using linux kernel aio > > libc ABIs: UNIQUE IFUNC > > For bug reporting instructions, please see: > > <http://www.gnu.org/software/libc/bugs.html>. > > > > But, when looking through the source code for this version on the CentOS servers I only see: > > <http://vault.centos.org/6.6/updates/Source/SPackages/> > > [ ] glibc-2.12-1.149.el6_6.4.src.rpm 07-Jan-2015 22:45 15M > > [ ] glibc-2.12-1.149.el6_6.5.src.rpm 27-Jan-2015 23:13 15M > > > > Please point me to the correct source tarball, and all required patches so that I can > > reconstruct my loaded version of GlibC. A yum command is also acceptable. > > Those src.rpms contain the source and the patches. You may want to read > over http://wiki.centos.org/HowTos/RebuildSRPM for info.Great! Thank you Jim Perrin, Frank Cox, Earl A Ramirez and Stphen Harris for your responses. Andy
On 03/02/2015 10:38 AM, ANDY KENNEDY wrote:>>> I'm tasked with reconstructing the CentOS version of the GlibC library for testing with >>> gethostbyname(). My mission is to show that we are not affected by the latest exploit for >>> the product we are shipping targeted for RHEL and CentOS. To do so, I want to equip >>> gethostbyname() with additional code. >> >> Do you plan on shipping this updated glibc as part of the product, or is >> this simply for testing? If you plan to distribute/ship an updated >> glibc, that's probably going to raise a few eyebrows and anger a few >> sysadmins. > > No release. Only testing. >Also, please be advised that rebuilding a package and then trying to compare it to something else built earlier is likely not going to work unless you can duplicate the exact set of packages that are installed in the build root at the time of the build. Even then, with documentation generation, you STILL might not get an exact, bit for bit, match when building later. It is almost impossible to duplicate a closed and staged build system for a give date unless you are trying very hard to do so.>> >>> My objective is to rebuild from source the EXACT version of GlibC for CentOS 6.6. >>> Afterwards, I will make my changes in the code, rebuild and complete my testing. >>>^^ That would likely be impossible to accomplish. See my comments above. <snip> Thanks, Johnny Hughes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20150302/8709e83c/attachment.sig>
On 03/02/2015 11:00 AM, Johnny Hughes wrote:> On 03/02/2015 10:38 AM, ANDY KENNEDY wrote: >>>> I'm tasked with reconstructing the CentOS version of the GlibC library for testing with >>>> gethostbyname(). My mission is to show that we are not affected by the latest exploit for >>>> the product we are shipping targeted for RHEL and CentOS. To do so, I want to equip >>>> gethostbyname() with additional code. >>> >>> Do you plan on shipping this updated glibc as part of the product, or is >>> this simply for testing? If you plan to distribute/ship an updated >>> glibc, that's probably going to raise a few eyebrows and anger a few >>> sysadmins. >> >> No release. Only testing. >> > > Also, please be advised that rebuilding a package and then trying to > compare it to something else built earlier is likely not going to work > unless you can duplicate the exact set of packages that are installed in > the build root at the time of the build. Even then, with documentation > generation, you STILL might not get an exact, bit for bit, match when > building later. > > It is almost impossible to duplicate a closed and staged build system > for a give date unless you are trying very hard to do so. > >>> >>>> My objective is to rebuild from source the EXACT version of GlibC for CentOS 6.6. >>>> Afterwards, I will make my changes in the code, rebuild and complete my testing. >>>> > > ^^ That would likely be impossible to accomplish. See my comments above. > > <snip>The list of packages that were in the "mock build root" for our build of the glibc-2.12-1.149.el6_6.5.x86_64.src.rpm is here: http://ur1.ca/ju24m To get close to an exact match, you need to use mock and use the packages listed above (and only those versions) if you are trying to get a build that matches what we built. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20150302/4ef64264/attachment-0001.sig>