Date: Wed, 25 Feb 2015 12:36:02 +0000 From: John Haxby <john.haxby@...cle.com> To: oss-security@...ts.openwall.com Subject: Re: Fixing the glibc runtime linker -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 19/02/15 22:19, Tim Brown wrote: > What's the fix? > > More often than not, the underlying issue is an empty element > within the DT_RPATH header or equivalent. Sometimes it's not, but > even in those cases, it is largely that one or more elements isn't > qualifed (i.e. it doesn't start with /). The attached patch fixes > this, by ignoring any elements of DT_RPATH, LD_LIBRARY_PATH that > do not start with a /, and/or junking any use of dlopen where the > filename is likewise unqualified. What about things like -Wl,-rpath=/tmp ? That one is particularly egregious and, as Casper mentioned, there are other ways of getting stupid RPATHs. I've seen a fair number of them :) Would it be useful to check to see if and rpath directory is not writable by the someone other than the uid/euid? Of course, it does nothing for an RPATH that goes over NFS. The Fedora packaging guidelines forbid the use of rpath completely which is beginning to look more and more attractive. jch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iF4EAREIAAYFAlTtwaYACgkQRQu7fpQvo8ihGAD/fppL/PSXpLep2TVz4Eh5G/ch NxyTZXDIpXs0DAZTNuAA/RDQ7KBXT/43McHtHMHKFPlMWGnjEEkaAZ8MNQcle0Cs =mnPH -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ