Bug 18017 (CVE-2010-3847) - $ORIGIN in LD_AUDIT is not ignored for AT_SECURE programs (CVE-2010-3847)
Summary: $ORIGIN in LD_AUDIT is not ignored for AT_SECURE programs (CVE-2010-3847)
Status: RESOLVED FIXED
Alias: CVE-2010-3847
Product: glibc
Classification: Unclassified
Component: dynamic-link (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-24 16:23 UTC by Florian Weimer
Modified: 2015-02-24 17:04 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Weimer 2015-02-24 16:23:15 UTC 
Full details were posted to full-disclosure: <http://seclists.org/fulldisclosure/2010/Oct/257>

The key part:

“However, I have now discovered a way to exploit this. The origin expansion
mechanism is recycled for use in LD_AUDIT support, although an attempt is made
to prevent it from working, it is insufficient.

LD_AUDIT is intended for use with the linker auditing api (see the rtld-audit
manual), and has the usual restrictions for setuid programs as LD_PRELOAD does.
However, $ORIGIN expansion is only prevented if it is not used in isolation.”
Comment 1 Florian Weimer 2015-02-24 16:56:40 UTC 
This was fixed in commit 8e9f92e9d5d7737afdacf79b76d98c4c42980508 and 22cd1c9bcf57c5829d65b6da825f7a459d40c9eb, which went into glibc 2.13.  Some downstreams used a completely different fix initially, so the commit mapping is a bit on shaky grounds.