This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug dynamic-link/23259] New: Unsubstituted ${ORIGIN} remains in DT_NEEDED for AT_SECURE
- From: "carlos at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 05 Jun 2018 04:09:30 +0000
- Subject: [Bug dynamic-link/23259] New: Unsubstituted ${ORIGIN} remains in DT_NEEDED for AT_SECURE
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=23259
Bug ID: 23259
Summary: Unsubstituted ${ORIGIN} remains in DT_NEEDED for
AT_SECURE
Product: glibc
Version: 2.29
Status: NEW
Severity: normal
Priority: P2
Component: dynamic-link
Assignee: unassigned at sourceware dot org
Reporter: carlos at redhat dot com
Target Milestone: ---
In Fedora we carry a patch to handle unsubstituted $ORIGIN from DT_NEEDED entry
for AT_SECURE.
Without the patch the present glibc handling can result in an unsubstituted
$ORIGIN being used in path lookup:
From my own test cases:
~~~
Test 16 [SUID]: Verify ${ORIGIN} without / in DT_NEEDED discards the DT_NEEDED.
origin: Function called.
FAIL: Incorrectly allowed DT_NEEDED with ${ORIGIN}.
~~~
~~~
function test16 {
local soname='/bad/${ORIGIN}liborigin.so'
local testdir="test16dir"
local ret
rm -rf $testdir
echo "Test 16 [SUID]: Verify \${ORIGIN} without / in DT_NEEDED discards the
DT_NEEDED."
startup_sysroot "./$testdir" "$BUILD"
gcc -shared -fPIC -Wl,-soname="$soname" -o liborigin.so origin.c
gcc -g3 -O0 -L. -o test16 ./need_origin.c -lorigin
mkdir -p "./$testdir/bad"
cp liborigin.so "./$testdir/bad/\${ORIGIN}liborigin.so"
rm liborigin.so
mv test16 ./$testdir/root/
sudo chown root.root ./$testdir/root/test16
sudo chmod u+s ./$testdir/root/test16
run_in_sysroot ./$testdir /root/test16
ret=$?
if [ $ret -ne 0 ]; then
echo "PASS: Failed to execute binary with \${ORIGIN} in DT_NEEDED."
else
echo "FAIL: Incorrectly allowed DT_NEEDED with \${ORIGIN}."
fi
shutdown_sysroot "./$testdir"
}
~~~
Just to give an idea of what is done here, we generate a binary with a
DT_NEEDED of '/bad/${ORIGIN}liborigin.so', perhaps a mistake, but the
unprocessed ${ORIGIN} means the entry is eventually searched as a literal
entry.
This should result in an error, since ${ORIGIN} should not be allowed.
--
You are receiving this mail because:
You are on the CC list for the bug.