This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug dynamic-link/18018] Additional $ORIGIN handling issues (CVE-2011-0536)
- From: "carlos at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 05 Jun 2018 04:00:41 +0000
- Subject: [Bug dynamic-link/18018] Additional $ORIGIN handling issues (CVE-2011-0536)
- Auto-submitted: auto-generated
- References: <bug-18018-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=18018
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |carlos at redhat dot com
--- Comment #1 from Carlos O'Donell <carlos at redhat dot com> ---
(In reply to Florian Weimer from comment #0)
> Most downstream fixes for CVE-2010-3847 were incomplete. One of the
> follow-up fixes was never applied to glibc, namely this part:
>
> Index: glibc-2.12-2-gc4ccff1/elf/dl-object.c
> ===================================================================
> --- glibc-2.12-2-gc4ccff1.orig/elf/dl-object.c
> +++ glibc-2.12-2-gc4ccff1/elf/dl-object.c
> @@ -214,6 +214,9 @@ _dl_new_object (char *realname, const ch
> out:
> new->l_origin = origin;
> }
> + else if (INTUSE(__libc_enable_secure) && type == lt_executable)
> + /* The origin of a privileged program cannot be trusted. */
> + new->l_origin = (char *) -1;
>
> return new;
> }
>
> We need to figure out if this patch is still needed.
I believe this is not needed.
This seems like excessive belt-and-suspenders.
We support $ORIGIN for AT_SECURE if it's the first thing in the path, and the
canonical expansion is rooted in a trusted directory (this is an exception to
the ELF gABI specification).
The above would break this use of $ORIGIN, but perhaps we ant to avoid this
exception?
What really needs to happen is that we need the parsing to work properly for
handling DST names, see:
https://sourceware.org/bugzilla/show_bug.cgi?id=23102#c3
--
You are receiving this mail because:
You are on the CC list for the bug.