[2.24 COMMITTED] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 programs [BZ #21624]
Florian Weimer
fweimer@redhat.com
Sun Jan 1 00:00:00 GMT 2017
LD_LIBRARY_PATH can only be used to reorder system search paths, which
is not useful functionality.
This makes an exploitable unbounded alloca in _dl_init_paths unreachable
for AT_SECURE=1 programs.
(cherry picked from commit f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d)
2017-06-19 Florian Weimer <fweimer@redhat.com>
[BZ #21624]
CVE-2017-1000366
* elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for
__libc_enable_secure.
diff --git a/NEWS b/NEWS
index 82a718f..d42af91 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,7 @@ The following bugs are resolved with this release:
[21289] Fix symbol redirect for fts_set
[21386] Assertion in fork for distinct parent PID is incorrect
+ [21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366)
Version 2.24
diff --git a/elf/rtld.c b/elf/rtld.c
index 647661c..215a9ae 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -2437,7 +2437,8 @@ process_envvars (enum mode *modep)
case 12:
/* The library search path. */
- if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
+ if (!__libc_enable_secure
+ && memcmp (envline, "LIBRARY_PATH", 12) == 0)
{
library_path = &envline[13];
break;
More information about the Libc-stable
mailing list