Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 30 Mar 2024 12:32:39 -0700
From: Andres Freund <>
Subject: Re: backdoor in upstream xz/liblzma leading to ssh server compromise


On 2024-03-29 08:51:26 -0700, Andres Freund wrote:
> To be able to resolve symbols in libraries that have not yet loaded, the
> backdoor installs an audit hook into the dynamic linker, which can be observed
> with gdb using
>   watch _rtld_global_ro._dl_naudit
> It looks like the audit hook is only installed for the main binary.

This is one aspect I've, somewhat surprisingly, not seen discussed.  From what
I can tell the rtld-audit infrastructure significantly weakens -z now -z
relro, by making it fairly easy for something loaded earlier to redirect
symbols in later libraries / the main binary.

Purely anecdotaly, I've not seen much use of rtld-audit. It's not implemented
in other linux libc implementations like musl, afaict.  Is it time to retire
rtld-audit, or at least to allow applications to opt out of it?


Andres Freund

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.