This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug dynamic-link/18018] Additional $ORIGIN handling issues (CVE-2011-0536)
- From: "carlos at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 05 Jun 2018 22:19:54 +0000
- Subject: [Bug dynamic-link/18018] Additional $ORIGIN handling issues (CVE-2011-0536)
- Auto-submitted: auto-generated
- References: <bug-18018-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=18018
--- Comment #2 from Carlos O'Donell <carlos at redhat dot com> ---
(In reply to Carlos O'Donell from comment #1)
> (In reply to Florian Weimer from comment #0)
> > Most downstream fixes for CVE-2010-3847 were incomplete. One of the
> > follow-up fixes was never applied to glibc, namely this part:
> >
> > Index: glibc-2.12-2-gc4ccff1/elf/dl-object.c
> > ===================================================================
> > --- glibc-2.12-2-gc4ccff1.orig/elf/dl-object.c
> > +++ glibc-2.12-2-gc4ccff1/elf/dl-object.c
> > @@ -214,6 +214,9 @@ _dl_new_object (char *realname, const ch
> > out:
> > new->l_origin = origin;
> > }
> > + else if (INTUSE(__libc_enable_secure) && type == lt_executable)
> > + /* The origin of a privileged program cannot be trusted. */
> > + new->l_origin = (char *) -1;
> >
> > return new;
> > }
> >
> > We need to figure out if this patch is still needed.
>
> I believe this is not needed.
So I'm going to mark this bug resolved by my changes to this code because the
intent of setting l_origin to -1 for lt_executable && AT_SECURE is wrong. We
can trust the l_origin in one case, the case where it comes first in the list
and is rooted in a trusted directory.
We use calloc to allocate the link_map and so l_origin is NULL if we don't
initialize it, and this causes later calls to _dl_get_origin() to initialize
origin once we can do more complex operations (read /proc/self/exe or read
LD_ORIGIN_PATH).
--
You are receiving this mail because:
You are on the CC list for the bug.