[Bug dynamic-link/18018] Additional $ORIGIN handling issues (CVE-2011-0536)

["carlos at redhat dot com" <sourceware-bugzilla at sourceware dot org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=18018

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |carlos at redhat dot com

--- Comment #1 from Carlos O'Donell <carlos at redhat dot com> ---
(In reply to Florian Weimer from comment #0)
> Most downstream fixes for CVE-2010-3847 were incomplete.  One of the
> follow-up fixes was never applied to glibc, namely this part:
> 
> Index: glibc-2.12-2-gc4ccff1/elf/dl-object.c
> ===================================================================
> --- glibc-2.12-2-gc4ccff1.orig/elf/dl-object.c
> +++ glibc-2.12-2-gc4ccff1/elf/dl-object.c
> @@ -214,6 +214,9 @@ _dl_new_object (char *realname, const ch
>      out:
>        new->l_origin = origin;
>      }
> +  else if (INTUSE(__libc_enable_secure) && type == lt_executable)
> +    /* The origin of a privileged program cannot be trusted.  */
> +    new->l_origin = (char *) -1;
>  
>    return new;
>  }
> 
> We need to figure out if this patch is still needed.

I believe this is not needed.

This seems like excessive belt-and-suspenders.

We support $ORIGIN for AT_SECURE if it's the first thing in the path, and the
canonical expansion is rooted in a trusted directory (this is an exception to
the ELF gABI specification).

The above would break this use of $ORIGIN, but perhaps we ant to avoid this
exception?

What really needs to happen is that we need the parsing to work properly for
handling DST names, see:
https://sourceware.org/bugzilla/show_bug.cgi?id=23102#c3

-- 
You are receiving this mail because:
You are on the CC list for the bug.