This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
- From: "schwab at linux-m68k dot org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: Mon, 9 May 2011 08:40:52 +0000
- Subject: [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
- Auto-submitted: auto-generated
- References: <bug-12393-131@http.sourceware.org/bugzilla/>
http://sourceware.org/bugzilla/show_bug.cgi?id=12393
Andreas Schwab <schwab@linux-m68k.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |
--- Comment #11 from Andreas Schwab <schwab@linux-m68k.org> 2011-05-09 08:40:44 UTC ---
This comment:
/* In SUID/SGID programs, after $ORIGIN expansion the
normalized path must be rooted in one of the trusted
directories. */
is bogus. In a privileged program $ORIGIN is not expanded except when
isolated, and the binary will never be in a directory that is considered
trusted (only library directories are). Also, check_for_trusted is only reset
when the test for trusted directories has succeeded, if it didn't the next path
element will be checked as well. It also does not address the problem of
$ORIGIN/../lib not being expanded but accepted.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.