* [PATCH] ldd: never run file directly
@ 2017-08-16 13:50 Florian Weimer
2017-08-16 13:56 ` Carlos O'Donell
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Florian Weimer @ 2017-08-16 13:50 UTC (permalink / raw)
To: GNU C Library
[-- Attachment #1: Type: text/plain, Size: 175 bytes --]
We have this old patch in our packages. I think most distributions use
something similar, as a guard against surprises.
Can we finally apply this upstream?
Thanks,
Florian
[-- Attachment #2: glibc-fedora-ldd.patch --]
[-- Type: text/x-patch, Size: 1171 bytes --]
From 83e5edd390eabe8f8e8e0d051f929b77a30c0767 Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@redhat.com>
Date: Fri, 18 Mar 2011 16:22:52 +0100
Subject: [PATCH] ldd: never run file directly
* elf/ldd.bash.in: Never run file directly.
---
ChangeLog | 4 ++++
elf/ldd.bash.in | 14 +-------------
2 files changed, 5 insertions(+), 13 deletions(-)
--- a/elf/ldd.bash.in
+++ b/elf/ldd.bash.in
@@ -166,18 +166,6 @@ warning: you do not have execution permission for" "\`$file'" >&2
fi
done
case $ret in
- 0)
- # If the program exits with exit code 5, it means the process has been
- # invoked with __libc_enable_secure. Fall back to running it through
- # the dynamic linker.
- try_trace "$file"
- rc=$?
- if [ $rc = 5 ]; then
- try_trace "$RTLD" "$file"
- rc=$?
- fi
- [ $rc = 0 ] || result=1
- ;;
1)
# This can be a non-ELF binary or no binary at all.
nonelf "$file" || {
@@ -185,7 +173,7 @@ warning: you do not have execution permission for" "\`$file'" >&2
result=1
}
;;
- 2)
+ 0|2)
try_trace "$RTLD" "$file" || result=1
;;
*)
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] ldd: never run file directly
2017-08-16 13:50 [PATCH] ldd: never run file directly Florian Weimer
@ 2017-08-16 13:56 ` Carlos O'Donell
2017-08-16 14:11 ` Andreas Schwab
2017-08-16 14:20 ` Dmitry V. Levin
2 siblings, 0 replies; 6+ messages in thread
From: Carlos O'Donell @ 2017-08-16 13:56 UTC (permalink / raw)
To: Florian Weimer, GNU C Library
On 08/16/2017 09:48 AM, Florian Weimer wrote:
> We have this old patch in our packages. I think most distributions use
> something similar, as a guard against surprises.
>
> Can we finally apply this upstream?
Yes please.
This is ridiculous behaviour on the part of upstream, you have no idea
what interpreter is encoded into the binary you are about to run, and
therefore should never run it directly for security reason.
The goal of ldd is always to print information about the program without
having to run it. We don't yet have a finished eu-ldd :-)
> From 83e5edd390eabe8f8e8e0d051f929b77a30c0767 Mon Sep 17 00:00:00 2001
> From: Andreas Schwab <schwab@redhat.com>
> Date: Fri, 18 Mar 2011 16:22:52 +0100
> Subject: [PATCH] ldd: never run file directly
>
> * elf/ldd.bash.in: Never run file directly.
>
> ---
> ChangeLog | 4 ++++
> elf/ldd.bash.in | 14 +-------------
> 2 files changed, 5 insertions(+), 13 deletions(-)
>
> --- a/elf/ldd.bash.in
> +++ b/elf/ldd.bash.in
> @@ -166,18 +166,6 @@ warning: you do not have execution permission for" "\`$file'" >&2
> fi
> done
> case $ret in
> - 0)
> - # If the program exits with exit code 5, it means the process has been
> - # invoked with __libc_enable_secure. Fall back to running it through
> - # the dynamic linker.
> - try_trace "$file"
> - rc=$?
> - if [ $rc = 5 ]; then
> - try_trace "$RTLD" "$file"
> - rc=$?
> - fi
> - [ $rc = 0 ] || result=1
> - ;;
OK. This code is dangerous and depending on PT_INTERP can run anything
that might not honour the LD_DEBUG tracing options and therefore
execute a program you didn't intend to run as your user.
> 1)
> # This can be a non-ELF binary or no binary at all.
> nonelf "$file" || {
> @@ -185,7 +173,7 @@ warning: you do not have execution permission for" "\`$file'" >&2
> result=1
> }
> ;;
> - 2)
> + 0|2)
> try_trace "$RTLD" "$file" || result=1
> ;;
> *)
OK.
--
Cheers,
Carlos.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] ldd: never run file directly
2017-08-16 13:50 [PATCH] ldd: never run file directly Florian Weimer
2017-08-16 13:56 ` Carlos O'Donell
@ 2017-08-16 14:11 ` Andreas Schwab
2017-08-16 14:21 ` Florian Weimer
2017-08-16 14:20 ` Dmitry V. Levin
2 siblings, 1 reply; 6+ messages in thread
From: Andreas Schwab @ 2017-08-16 14:11 UTC (permalink / raw)
To: Florian Weimer; +Cc: GNU C Library
On Aug 16 2017, Florian Weimer <fweimer@redhat.com> wrote:
> We have this old patch in our packages. I think most distributions use
> something similar, as a guard against surprises.
>
> Can we finally apply this upstream?
>
> Thanks,
> Florian
>
> From 83e5edd390eabe8f8e8e0d051f929b77a30c0767 Mon Sep 17 00:00:00 2001
> From: Andreas Schwab <schwab@redhat.com>
> Date: Fri, 18 Mar 2011 16:22:52 +0100
> Subject: [PATCH] ldd: never run file directly
>
> * elf/ldd.bash.in: Never run file directly.
This is BZ #16750, CVE-2009-5064.
Andreas.
--
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] ldd: never run file directly
2017-08-16 13:50 [PATCH] ldd: never run file directly Florian Weimer
2017-08-16 13:56 ` Carlos O'Donell
2017-08-16 14:11 ` Andreas Schwab
@ 2017-08-16 14:20 ` Dmitry V. Levin
2 siblings, 0 replies; 6+ messages in thread
From: Dmitry V. Levin @ 2017-08-16 14:20 UTC (permalink / raw)
To: libc-alpha
[-- Attachment #1: Type: text/plain, Size: 310 bytes --]
On Wed, Aug 16, 2017 at 03:48:18PM +0200, Florian Weimer wrote:
> We have this old patch in our packages. I think most distributions use
> something similar, as a guard against surprises.
We patch ldd this way for 15 years already.
> Can we finally apply this upstream?
Yes, please.
--
ldv
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] ldd: never run file directly
2017-08-16 14:11 ` Andreas Schwab
@ 2017-08-16 14:21 ` Florian Weimer
2017-08-16 14:47 ` Andreas Schwab
0 siblings, 1 reply; 6+ messages in thread
From: Florian Weimer @ 2017-08-16 14:21 UTC (permalink / raw)
To: Andreas Schwab; +Cc: GNU C Library
On 08/16/2017 04:11 PM, Andreas Schwab wrote:
> On Aug 16 2017, Florian Weimer <fweimer@redhat.com> wrote:
>
>> We have this old patch in our packages. I think most distributions use
>> something similar, as a guard against surprises.
>>
>> Can we finally apply this upstream?
>>
>> Thanks,
>> Florian
>>
>> From 83e5edd390eabe8f8e8e0d051f929b77a30c0767 Mon Sep 17 00:00:00 2001
>> From: Andreas Schwab <schwab@redhat.com>
>> Date: Fri, 18 Mar 2011 16:22:52 +0100
>> Subject: [PATCH] ldd: never run file directly
>>
>> * elf/ldd.bash.in: Never run file directly.
>
> This is BZ #16750, CVE-2009-5064.
Thanks. What about this NEWS entry for it?
+ CVE-2009-5064: The ldd script would sometimes run the program under
+ examination directly, without preventing code execution through the
+ dynamic linker. (The glibc project disputes that this is a security
+ vulnerability; only trusted binaries must be examined using the ldd
+ script.)
Thanks,
Florian
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] ldd: never run file directly
2017-08-16 14:21 ` Florian Weimer
@ 2017-08-16 14:47 ` Andreas Schwab
0 siblings, 0 replies; 6+ messages in thread
From: Andreas Schwab @ 2017-08-16 14:47 UTC (permalink / raw)
To: Florian Weimer; +Cc: GNU C Library
On Aug 16 2017, Florian Weimer <fweimer@redhat.com> wrote:
> Thanks. What about this NEWS entry for it?
>
> + CVE-2009-5064: The ldd script would sometimes run the program under
> + examination directly, without preventing code execution through the
> + dynamic linker. (The glibc project disputes that this is a security
> + vulnerability; only trusted binaries must be examined using the ldd
> + script.)
Looks ok.
Andreas.
--
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-08-16 14:47 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-16 13:50 [PATCH] ldd: never run file directly Florian Weimer
2017-08-16 13:56 ` Carlos O'Donell
2017-08-16 14:11 ` Andreas Schwab
2017-08-16 14:21 ` Florian Weimer
2017-08-16 14:47 ` Andreas Schwab
2017-08-16 14:20 ` Dmitry V. Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).