Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 25 Feb 2015 12:36:02 +0000
From: John Haxby <john.haxby@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Re: Fixing the glibc runtime linker

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 19/02/15 22:19, Tim Brown wrote:
> What's the fix?
> 
> More often than not, the underlying issue is an empty element 
> within the DT_RPATH header or equivalent. Sometimes it's not, but 
> even in those cases, it is largely that one or more elements isn't 
> qualifed (i.e. it doesn't start with /). The attached patch fixes 
> this, by ignoring any elements of DT_RPATH, LD_LIBRARY_PATH that
> do not start with a /, and/or junking any use of dlopen where the 
> filename is likewise unqualified.

What about things like -Wl,-rpath=/tmp ?

That one is particularly egregious and, as Casper mentioned, there are
other ways of getting stupid RPATHs.  I've seen a fair number of them :)

Would it be useful to check to see if and rpath directory is not
writable by the someone other than the uid/euid?  Of course, it does
nothing for an RPATH that goes over NFS.

The Fedora packaging guidelines forbid the use of rpath completely
which is beginning to look more and more attractive.

jch


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iF4EAREIAAYFAlTtwaYACgkQRQu7fpQvo8ihGAD/fppL/PSXpLep2TVz4Eh5G/ch
NxyTZXDIpXs0DAZTNuAA/RDQ7KBXT/43McHtHMHKFPlMWGnjEEkaAZ8MNQcle0Cs
=mnPH
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ