Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 14 Jun 2014 12:24:43 -0400
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: Binaries compiled with musl (1.1.2) are vulnerable to an
 ancient ldd exploit

On Sat, Jun 14, 2014 at 08:14:01PM +0400, Solar Designer wrote:
> Rich,
> 
> On Sat, Jun 14, 2014 at 12:02:43PM -0400, Rich Felker wrote:
> > (Actually, I think
> > this issue may be fixed in modern glibc ldd, but I'm not sure.)
> 
> IIRC, we have this worked around in patched glibc's ldd on Owl by having
> it always explicitly run the program through /lib/ld-linux.so.2, which
> obviously does interpret its env vars that the ldd script sets.  That ldd
> script assumes glibc's /lib/ld-linux.so.2 anyway (env vars, exit codes).

One improvement to this, if one wants to support multiple glibc
installations with different interpreters, would be parsing the
PT_INTERP from the binary, then exec'ing it in a way that inhibits
suid if the pointed-to binary happens to be suid. (One idea is
open+fstat+fexecve; another is ptrace+exec, where ptrace just serves
to inhibit suid.)

> I don't know why upstream glibc would not(?) patch the issue that way.
> It's a trivial change.  Is there some WONTFIX for this in glibc Bugzilla
> already?  Sounds like material for your blog if so. ;-)

There was a new patch for this issue on the libc-alpha list back in
March of this year, but I don't think it's been committed yet. See
"[PATCH] Never try to execute the file in ldd", Message-ID:
<mvma9cfobqi.fsf@...king.suse.de>.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.