This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.

From: Hector Marco-Gisbert <hecmargi at upv dot es>
To: "Carlos O'Donell" <carlos at redhat dot com>, Florian Weimer <fweimer at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>, "Joseph S. Myers" <joseph at codesourcery dot com>, Siddhesh Poyarekar <siddhesh at redhat dot com>, Andreas Jaeger <aj at suse dot com>
Cc: Ismael Ripoll Ripoll <iripoll at upv dot es>
Date: Fri, 16 Oct 2015 16:51:29 +0200
Subject: Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
Authentication-results: sourceware.org; auth=none
References: <1441471191-4683-1-git-send-email-hecmargi at upv dot es> <56162CD0 dot 4070902 at redhat dot com> <5618710F dot 6060406 at redhat dot com>

Hello all,

It would be nice if our names (Hector Marco and Ismael Ripoll) appear in theChangelog. At least showing that we reported the security issue.

Previously reported security issues (i.e BZ #15754) were properly credited inthe Glibc Changelog.

Regarding security issues, the complexity relies on finding the issue ratherthan fixing it, which typically consists on adding or removing a few lines of code.


Developers that want contribute maybe discourage if their work is not recognized.


-- Hector Marco.


El 10/10/15 a las 03:59, Carlos O'Donell escribió:

On 10/08/2015 04:44 AM, Florian Weimer wrote:

On 09/05/2015 06:39 PM, Hector Marco-Gisbert wrote:

A weakness in the dynamic loader have been found, Glibc prior to
2.22.90 are affected. The issue is that the LD_POINTER_GUARD in the
environment is not sanitized allowing local attackers easily to bypass
the pointer guarding protection on set-user-ID and set-group-ID
programs.

Details of the weakness:
http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html

This patch prevents to disable the pointer guarding protection for
set-user-ID/set-group-ID programs.

For example, executing "LD_POINTER_GUARD=0 /bin/ping" does not disable
the pointer guarding protection unless it is directly executed by root
(rUID==eUID).


Does anyone actually use LD_POINTER_GUARD for debugging?  Maybe we can
simply retire the environment variable instead.


I vote we remove it. It has long since passed the point of usefullness.
With a proper tunables infrastructure we would have added it in one release
while we tested things, and then removed it one or two releases later.

Cheers,
Carlos.


--
Hector Marco-Gisbert @ http://hmarco.org/
Cyber Security Researcher @ http://cybersecurity.upv.es
Universitat Politècnica de València (Spain)

Follow-Ups:
- Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
  - From: Florian Weimer

References:
- Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
  - From: Florian Weimer
- Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
  - From: Carlos O'Donell

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]