From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 1290 invoked by alias); 18 Aug 2004 09:21:25 -0000 Mailing-List: contact libc-hacker-help@sources.redhat.com; run by ezmlm Precedence: bulk List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-hacker-owner@sources.redhat.com Received: (qmail 1264 invoked from network); 18 Aug 2004 09:21:23 -0000 Received: from unknown (HELO sunsite.ms.mff.cuni.cz) (195.113.15.26) by sourceware.org with SMTP; 18 Aug 2004 09:21:23 -0000 Received: from sunsite.ms.mff.cuni.cz (sunsite.mff.cuni.cz [127.0.0.1]) by sunsite.ms.mff.cuni.cz (8.12.8/8.12.8) with ESMTP id i7I74A3j001789; Wed, 18 Aug 2004 09:04:10 +0200 Received: (from jakub@localhost) by sunsite.ms.mff.cuni.cz (8.12.8/8.12.8/Submit) id i7I74ATH001787; Wed, 18 Aug 2004 09:04:10 +0200 Date: Wed, 18 Aug 2004 09:21:00 -0000 From: Jakub Jelinek To: Thorsten Kukuk Cc: libc-hacker@sources.redhat.com Subject: Re: Gentoo glibc security advisory Message-ID: <20040818070409.GQ30497@sunsite.ms.mff.cuni.cz> Reply-To: Jakub Jelinek References: <20040818084135.GA6931@suse.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040818084135.GA6931@suse.de> User-Agent: Mutt/1.4.1i X-SW-Source: 2004-08/txt/msg00059.txt.bz2 On Wed, Aug 18, 2004 at 10:41:35AM +0200, Thorsten Kukuk wrote: > > Hi, > > Gentoo has issued an advisory: > http://www.gentoo.org/security/en/glsa/glsa-200408-16.xml > > "An attacker can gain the list of symbols a SUID application uses and their That's true. > locations LD_DEBUG=all doesn't give you exact addresses of symbols (but LD_TRACE_PRELINKING=1 does, maybe we should turn that off for __libc_enable_secure and missing /etc/suid-debug). It only tells you which libraries' symbols are used. > and can then use a trojaned library taking precendence over those > symbols to gain information This is wrong. You can't LD_PRELOAD a trojaned library to a suid binary (unless it is in the standard paths and sgid I think) nor you can use LD_LIBRARY_PATH to trick it in any way. > or perform further exploitation." > > with the following patch: > > http://www.gentoo.org/cgi-bin/viewcvs.cgi/sys-libs/glibc/files/glibc-sec-hotfix-20040804.patch?rev=1.1&content-type=text/vnd.viewcvs-markup BTW, * Fixes a glibc bug where certain envvars are interpreted even if UNSECURE_ENVVARS says to drop them is wrong, they are interpreted on purpose, but with caution if __libc_enable_secure. Jakub