From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <glibc-bugs-return-21999-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Received: (qmail 30712 invoked by alias); 25 Mar 2014 10:06:13 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Received: (qmail 30686 invoked by uid 48); 25 Mar 2014 10:06:10 -0000
From: "schwab@linux-m68k.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug dynamic-link/16750] New: ldd should not try to execute the binaries
Date: Tue, 25 Mar 2014 10:06:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: dynamic-link
X-Bugzilla-Version: 2.18
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: schwab@linux-m68k.org
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-16750-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-03/txt/msg00190.txt.bz2

https://sourceware.org/bugzilla/show_bug.cgi?id=16750

            Bug ID: 16750
           Summary: ldd should not try to execute the binaries
           Product: glibc
           Version: 2.18
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: schwab@linux-m68k.org

Currently, if ld.so --verify indicates that the binary has an interpreter, ldd
tries to execute it directly (with the appropriate environment to request
listing dependent libraries).  This can result in a random interpreter to be
executed on behalf of the user and is insecure.  Instead, ldd should always use
the known good dynamic linker installed in the system to list the library
dependencies.

See <https://bugzilla.novell.com/show_bug.cgi?id=677787> for references.

-- 
You are receiving this mail because:
You are on the CC list for the bug.