* [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
2011-01-12 14:47 [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN thoger at redhat dot com
@ 2011-04-11 14:22 ` thoger at redhat dot com
2011-04-16 0:44 ` pasky at suse dot cz
` (14 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: thoger at redhat dot com @ 2011-04-11 14:22 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12393
--- Comment #1 from Tomas Hoger <thoger at redhat dot com> 2011-04-11 14:22:23 UTC ---
All mentioned cases now seem to be addressed in Andreas' fedora master git
branch. Following seem to be the relevant commits:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=101fdc24
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=049b59f7
(In reply to comment #0)
> ld.so currently expands $ORIGIN in privileged programs' RPATH when $ORIGIN is
> listed alone (see _dl_dst_count and is_dst)
is_dst() was changed by the above patches to flag $ORIGIN as recognized DST
even when in __libc_enable_secure mode. $ORIGIN is no longer expanded for
executables, but it is for libraries.
> $ORIGIN is not expanded if it's not the only thing in RPATH, e.g. in cases
> like $ORIGIN/../lib, as DL_DST_COUNT() returns 0 and
> expand_dynamic_string_token() uses strdup rather than _dl_dst_substitute()
As is_dst() no longer ignores $ORIGIN for privileged programs, DL_DST_COUNT()
does not return 0 any more and _dl_dst_substitute() is called.
Few comments regarding the applied changes:
- following comment in _dl_dst_substitute() is not completely correct:
/* $ORIGIN is not expanded for SUID/GUID programs
(except if it is $ORIGIN alone) and it must always
appear first in path. */
Expansion does not happen for SUID/SGID programs, but does for the libs they
use.
- following comment is bit misleading:
/* Also skip following colon if this is the first rpath
element, but keep an empty element at the end. */
Colon is skipped if there was no output written to the result buffer yet, so it
may happen multiple times if multiple rpath elements are skipped (e.g.
$ORIGIN:$ORIGIN:/lib).
- is_dst() no longer uses start argument passed to it. _dl_dst_count() only
uses start to pass it to is_dst().
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread* [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
2011-01-12 14:47 [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN thoger at redhat dot com
2011-04-11 14:22 ` [Bug libc/12393] " thoger at redhat dot com
@ 2011-04-16 0:44 ` pasky at suse dot cz
2011-04-17 20:49 ` thoger at redhat dot com
` (13 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: pasky at suse dot cz @ 2011-04-16 0:44 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12393
Petr Baudis <pasky at suse dot cz> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |pasky at suse dot cz
--- Comment #2 from Petr Baudis <pasky at suse dot cz> 2011-04-16 00:41:46 UTC ---
The initial comment is highly confusing, since when it says "ld.so currently
expands $ORIGIN..." it talks NOT about master, but just about the fedora/
branches! In master, $ORIGIN is still expanded even for setuid programs, making
just the hardlink attack possible in case someone is foolish enough to compile
their setuid program with rpath $ORIGIN.
Therefore, the bug pretty much just describes which changes need to be covered
when restricting $ORIGIN usage in setuid programs in master. An additional
Ulrich's requirement is to whitelist system directories as $ORIGIN values even
in setuid programs.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread* [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
2011-01-12 14:47 [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN thoger at redhat dot com
2011-04-11 14:22 ` [Bug libc/12393] " thoger at redhat dot com
2011-04-16 0:44 ` pasky at suse dot cz
@ 2011-04-17 20:49 ` thoger at redhat dot com
2011-04-18 14:15 ` pasky at suse dot cz
` (12 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: thoger at redhat dot com @ 2011-04-17 20:49 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12393
--- Comment #3 from Tomas Hoger <thoger at redhat dot com> 2011-04-17 20:48:57 UTC ---
(In reply to comment #2)
> The initial comment is highly confusing, since when it says "ld.so currently
> expands $ORIGIN..." it talks NOT about master, but just about the fedora/
> branches!
Petr, I don't understand what confused you so highly. Initial comment does
point out several problematic cases, but it makes it clear that the first two
affect currently used glibc versions (and various past versions, it seems the
behaviour has not changed for 7+ years), and the third one was an issue that a
*proposed* patch to address previous issues introduces, as that problem was not
mentioned in the relevant libc-hacker thread.
> In master, $ORIGIN is still expanded even for setuid programs
As mentioned in comment #0, with an exception mentioned there too. I fail to
see how this contradicts the part of the comment #0 you quoted.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread* [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
2011-01-12 14:47 [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN thoger at redhat dot com
` (2 preceding siblings ...)
2011-04-17 20:49 ` thoger at redhat dot com
@ 2011-04-18 14:15 ` pasky at suse dot cz
2011-04-18 16:13 ` thoger at redhat dot com
` (11 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: pasky at suse dot cz @ 2011-04-18 14:15 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12393
--- Comment #4 from Petr Baudis <pasky at suse dot cz> 2011-04-18 14:14:35 UTC ---
You are right. I got a bit lost in the maze of all the RH bugs and advisories
and in the end misinterpreted your comment. I was confused, not the bug. :-)
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread* [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
2011-01-12 14:47 [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN thoger at redhat dot com
` (3 preceding siblings ...)
2011-04-18 14:15 ` pasky at suse dot cz
@ 2011-04-18 16:13 ` thoger at redhat dot com
2011-04-22 1:42 ` pasky at suse dot cz
` (10 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: thoger at redhat dot com @ 2011-04-18 16:13 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12393
--- Comment #5 from Tomas Hoger <thoger at redhat dot com> 2011-04-18 16:13:38 UTC ---
No worries, thank for looking!
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread* [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
2011-01-12 14:47 [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN thoger at redhat dot com
` (4 preceding siblings ...)
2011-04-18 16:13 ` thoger at redhat dot com
@ 2011-04-22 1:42 ` pasky at suse dot cz
2011-04-26 13:28 ` thoger at redhat dot com
` (9 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: pasky at suse dot cz @ 2011-04-22 1:42 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12393
--- Comment #6 from Petr Baudis <pasky at suse dot cz> 2011-04-22 01:41:55 UTC ---
Created attachment 5684
--> http://sourceware.org/bugzilla/attachment.cgi?id=5684
proposed patch
Ok, here is a patch I'd propose instead of the Fedora patches (96611391 and the
two followups). It is a rather simple approach of reusing the existing logic
for checking against insecure paths in rpath. Am I missing something, is there
a case this mishandles?
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread* [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
2011-01-12 14:47 [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN thoger at redhat dot com
` (5 preceding siblings ...)
2011-04-22 1:42 ` pasky at suse dot cz
@ 2011-04-26 13:28 ` thoger at redhat dot com
2011-05-03 11:14 ` schwab@linux-m68k.org
` (8 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: thoger at redhat dot com @ 2011-04-26 13:28 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12393
--- Comment #7 from Tomas Hoger <thoger at redhat dot com> 2011-04-26 13:27:51 UTC ---
(In reply to comment #6)
> Am I missing something, is there a case this mishandles?
Seems to work correctly in all cases I previous pointed out. Tested with the
patch applied on top of vanilla 2.13.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread* [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
2011-01-12 14:47 [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN thoger at redhat dot com
` (6 preceding siblings ...)
2011-04-26 13:28 ` thoger at redhat dot com
@ 2011-05-03 11:14 ` schwab@linux-m68k.org
2011-05-05 16:53 ` pasky at suse dot cz
` (7 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: schwab@linux-m68k.org @ 2011-05-03 11:14 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12393
--- Comment #8 from Andreas Schwab <schwab@linux-m68k.org> 2011-05-03 11:14:05 UTC ---
This will reject any non-system library directory, which means a suid
executable will no longer be able to use private libraries, even if they would
be secure.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread* [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
2011-01-12 14:47 [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN thoger at redhat dot com
` (7 preceding siblings ...)
2011-05-03 11:14 ` schwab@linux-m68k.org
@ 2011-05-05 16:53 ` pasky at suse dot cz
2011-05-07 15:46 ` drepper.fsp at gmail dot com
` (6 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: pasky at suse dot cz @ 2011-05-05 16:53 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12393
Petr Baudis <pasky at suse dot cz> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #5684|0 |1
is obsolete| |
--- Comment #9 from Petr Baudis <pasky at suse dot cz> 2011-05-05 16:52:15 UTC ---
Created attachment 5708
--> http://sourceware.org/bugzilla/attachment.cgi?id=5708
updated patch
Fair point. The updated patch is to replace the original one, instead relaxing
the original restriction on $ORIGIN not being alone in the path. Instead, in
case of a setuid binary, it verifies fully expanded and /../-normalized path
elements where $ORIGIN has occurred against the list of trusted paths.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread* [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
2011-01-12 14:47 [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN thoger at redhat dot com
` (8 preceding siblings ...)
2011-05-05 16:53 ` pasky at suse dot cz
@ 2011-05-07 15:46 ` drepper.fsp at gmail dot com
2011-05-09 8:41 ` schwab@linux-m68k.org
` (5 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: drepper.fsp at gmail dot com @ 2011-05-07 15:46 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12393
Ulrich Drepper <drepper.fsp at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #10 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-05-07 15:46:09 UTC ---
I mostly agree with the last patch. It contained some bugs and removed a check
which has to stay. I've checked in an updated patch.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread* [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
2011-01-12 14:47 [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN thoger at redhat dot com
` (9 preceding siblings ...)
2011-05-07 15:46 ` drepper.fsp at gmail dot com
@ 2011-05-09 8:41 ` schwab@linux-m68k.org
2011-05-09 10:25 ` pasky at suse dot cz
` (4 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: schwab@linux-m68k.org @ 2011-05-09 8:41 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12393
Andreas Schwab <schwab@linux-m68k.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |
--- Comment #11 from Andreas Schwab <schwab@linux-m68k.org> 2011-05-09 08:40:44 UTC ---
This comment:
/* In SUID/SGID programs, after $ORIGIN expansion the
normalized path must be rooted in one of the trusted
directories. */
is bogus. In a privileged program $ORIGIN is not expanded except when
isolated, and the binary will never be in a directory that is considered
trusted (only library directories are). Also, check_for_trusted is only reset
when the test for trusted directories has succeeded, if it didn't the next path
element will be checked as well. It also does not address the problem of
$ORIGIN/../lib not being expanded but accepted.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread* [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
2011-01-12 14:47 [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN thoger at redhat dot com
` (10 preceding siblings ...)
2011-05-09 8:41 ` schwab@linux-m68k.org
@ 2011-05-09 10:25 ` pasky at suse dot cz
2011-05-11 4:17 ` drepper.fsp at gmail dot com
` (3 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: pasky at suse dot cz @ 2011-05-09 10:25 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12393
--- Comment #12 from Petr Baudis <pasky at suse dot cz> 2011-05-09 10:24:19 UTC ---
Good catch with the elem_trusted variable not being reset!
What prevents $ORIGIN that is not alone in the path from being expanded? The
point of this change is to allow that to happen securely.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread* [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
2011-01-12 14:47 [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN thoger at redhat dot com
` (11 preceding siblings ...)
2011-05-09 10:25 ` pasky at suse dot cz
@ 2011-05-11 4:17 ` drepper.fsp at gmail dot com
2014-02-16 19:41 ` jackie.rosen at hushmail dot com
` (2 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: drepper.fsp at gmail dot com @ 2011-05-11 4:17 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12393
Ulrich Drepper <drepper.fsp at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |FIXED
--- Comment #13 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-05-11 04:17:27 UTC ---
There were a few issues which should be fixed now. Subdirs of trusted
directories are allowed.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread* [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
2011-01-12 14:47 [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN thoger at redhat dot com
` (12 preceding siblings ...)
2011-05-11 4:17 ` drepper.fsp at gmail dot com
@ 2014-02-16 19:41 ` jackie.rosen at hushmail dot com
2014-05-28 19:44 ` schwab at sourceware dot org
2014-06-27 12:31 ` [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN (CVE-2011-1658) fweimer at redhat dot com
15 siblings, 0 replies; 17+ messages in thread
From: jackie.rosen at hushmail dot com @ 2014-02-16 19:41 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=12393
Jackie Rosen <jackie.rosen at hushmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jackie.rosen at hushmail dot com
--- Comment #14 from Jackie Rosen <jackie.rosen at hushmail dot com> ---
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/adult-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread* [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
2011-01-12 14:47 [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN thoger at redhat dot com
` (13 preceding siblings ...)
2014-02-16 19:41 ` jackie.rosen at hushmail dot com
@ 2014-05-28 19:44 ` schwab at sourceware dot org
2014-06-27 12:31 ` [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN (CVE-2011-1658) fweimer at redhat dot com
15 siblings, 0 replies; 17+ messages in thread
From: schwab at sourceware dot org @ 2014-05-28 19:44 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=12393
Andreas Schwab <schwab at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC|jackie.rosen at hushmail dot com |
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread* [Bug libc/12393] ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN (CVE-2011-1658)
2011-01-12 14:47 [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN thoger at redhat dot com
` (14 preceding siblings ...)
2014-05-28 19:44 ` schwab at sourceware dot org
@ 2014-06-27 12:31 ` fweimer at redhat dot com
15 siblings, 0 replies; 17+ messages in thread
From: fweimer at redhat dot com @ 2014-06-27 12:31 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=12393
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Summary|ld.so: insecure handling of |ld.so: insecure handling of
|privileged programs' RPATHs |privileged programs' RPATHs
|with $ORIGIN |with $ORIGIN
| |(CVE-2011-1658)
Alias| |CVE-2011-1658
Flags| |security+
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread