[Bug dynamic-link/18017] New: $ORIGIN in LD_AUDIT is not ignored for AT_SECURE programs (CVE-2010-3847)

[Bug dynamic-link/18017] New: $ORIGIN in LD_AUDIT is not ignored for AT_SECURE programs (CVE-2010-3847)

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18017

            Bug ID: 18017
           Summary: $ORIGIN in LD_AUDIT is not ignored for AT_SECURE
                    programs (CVE-2010-3847)
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com

Full details were posted to full-disclosure:
<http://seclists.org/fulldisclosure/2010/Oct/257>

The key part:

“However, I have now discovered a way to exploit this. The origin expansion
mechanism is recycled for use in LD_AUDIT support, although an attempt is made
to prevent it from working, it is insufficient.

LD_AUDIT is intended for use with the linker auditing api (see the rtld-audit
manual), and has the usual restrictions for setuid programs as LD_PRELOAD does.
However, $ORIGIN expansion is only prevented if it is not used in isolation.”

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-27617-listarch-glibc-bugs=sources.redhat.com@sourceware.org Tue Feb 24 16:27:11 2015
Return-Path: <glibc-bugs-return-27617-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 34164 invoked by alias); 24 Feb 2015 16:27:10 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 32595 invoked by uid 55); 24 Feb 2015 16:27:07 -0000
From: "joseph at codesourcery dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/17252] getrandom and getentropy syscall
Date: Tue, 24 Feb 2015 16:27:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: enhancement
X-Bugzilla-Who: joseph at codesourcery dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields:
Message-ID: <bug-17252-131-LJjn8lbvww@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-17252-131@http.sourceware.org/bugzilla/>
References: <bug-17252-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-02/txt/msg00352.txt.bz2
Content-length: 650

https://sourceware.org/bugzilla/show_bug.cgi?id\x17252

--- Comment #5 from joseph at codesourcery dot com <joseph at codesourcery dot com> ---
If you want progress on this, take a lead in the general discussion on
libc-alpha of when glibc should provide bindings to Linux kernel syscalls,
seeking to understand the differences of views expressed, find common
ground and drive the discussion to consensus.  Once we have agreed
principles on bindings for syscalls, then we can consider which new or old
syscalls should have such bindings added under those principles.

--
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/18017] $ORIGIN in LD_AUDIT is not ignored for AT_SECURE programs (CVE-2010-3847)

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18017

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
This was fixed in commit 8e9f92e9d5d7737afdacf79b76d98c4c42980508 and
22cd1c9bcf57c5829d65b6da825f7a459d40c9eb, which went into glibc 2.13.  Some
downstreams used a completely different fix initially, so the commit mapping is
a bit on shaky grounds.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/18017] $ORIGIN in LD_AUDIT is not ignored for AT_SECURE programs (CVE-2010-3847)

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18017

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security+

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug dynamic-link/18017] $ORIGIN in LD_AUDIT is not ignored for AT_SECURE programs (CVE-2010-3847)

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18017

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://sourceware.org/bugz
                   |                            |illa/show_bug.cgi?id=18018

-- 
You are receiving this mail because:
You are on the CC list for the bug.