[Bug libc/23323] Recommendations for devs stuck with old glibc versions

[Bug libc/23323] Recommendations for devs stuck with old glibc versions

[amb]

Hi,

I am forced to build against an old glibc version in order to run my
code on a large number of target linux systems. For developers like
me, what is the recommended way to mitigate the issue described in
https://sourceware.org/bugzilla/show_bug.cgi?id=23323 ?

If mitigation is not possible, should I be concerned about this as a
potential security issue for my application? I don't know if this
issue was ever assigned a CVE so I was not able to query its severity.
Is there a CVE for this?

Thanks

Re: [Bug libc/23323] Recommendations for devs stuck with old glibc versions

[Florian Weimer]

* amb via Libc-help:

> I am forced to build against an old glibc version in order to run my
> code on a large number of target linux systems. For developers like
> me, what is the recommended way to mitigate the issue described in
> https://sourceware.org/bugzilla/show_bug.cgi?id=23323 ?

It's just a missed hardening opportunity.  Your binary will likely have
other gadgets in it anyway.  Note that we have not treated it as a
security vulnerability.

If your main program does not use ELF constructors, you can use custom
startup files without the ELF constructor trampoline.

Thanks,
Florian