Full details were posted to full-disclosure: <http://seclists.org/fulldisclosure/2010/Oct/257>
The key part:
“However, I have now discovered a way to exploit this. The origin expansion
mechanism is recycled for use in LD_AUDIT support, although an attempt is made
to prevent it from working, it is insufficient.
LD_AUDIT is intended for use with the linker auditing api (see the rtld-audit
manual), and has the usual restrictions for setuid programs as LD_PRELOAD does.
However, $ORIGIN expansion is only prevented if it is not used in isolation.”
This was fixed in commit 8e9f92e9d5d7737afdacf79b76d98c4c42980508 and 22cd1c9bcf57c5829d65b6da825f7a459d40c9eb, which went into glibc 2.13. Some downstreams used a completely different fix initially, so the commit mapping is a bit on shaky grounds.