[2.25 COMMITTED] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 programs [BZ #21624]
Florian Weimer
fweimer@redhat.com
Sun Jan 1 00:00:00 GMT 2017
LD_LIBRARY_PATH can only be used to reorder system search paths, which
is not useful functionality.
This makes an exploitable unbounded alloca in _dl_init_paths unreachable
for AT_SECURE=1 programs.
(cherry picked from commit f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d)
2017-06-19 Florian Weimer <fweimer@redhat.com>
[BZ #21624]
CVE-2017-1000366
* elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for
__libc_enable_secure.
diff --git a/NEWS b/NEWS
index d528723..29079e8 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,7 @@ The following bugs are resolved with this release:
[21115] sunrpc: Use-after-free in error path in clntudp_call
[21289] Fix symbol redirect for fts_set
[21386] Assertion in fork for distinct parent PID is incorrect
+ [21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366)
Version 2.25
diff --git a/elf/rtld.c b/elf/rtld.c
index a036ece..2fc33a6 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -2418,7 +2418,8 @@ process_envvars (enum mode *modep)
case 12:
/* The library search path. */
- if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
+ if (!__libc_enable_secure
+ && memcmp (envline, "LIBRARY_PATH", 12) == 0)
{
library_path = &envline[13];
break;
More information about the Libc-stable
mailing list