From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/5258 Path: news.gmane.org!not-for-mail From: Steven Honeyman Newsgroups: gmane.linux.lib.musl.general Subject: Re: Binaries compiled with musl (1.1.2) are vulnerable to an ancient ldd exploit Date: Sat, 14 Jun 2014 17:27:33 +0100 Message-ID: References: <20140614160243.GG179@brightrain.aerifal.cx> <20140614161401.GA12447@openwall.com> <20140614162443.GI179@brightrain.aerifal.cx> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Trace: ger.gmane.org 1402763276 5407 80.91.229.3 (14 Jun 2014 16:27:56 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 14 Jun 2014 16:27:56 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-5263-gllmg-musl=m.gmane.org@lists.openwall.com Sat Jun 14 18:27:46 2014 Return-path: Envelope-to: gllmg-musl@plane.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1Wvqny-0000n6-3G for gllmg-musl@plane.gmane.org; Sat, 14 Jun 2014 18:27:46 +0200 Original-Received: (qmail 5918 invoked by uid 550); 14 Jun 2014 16:27:45 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 5910 invoked from network); 14 Jun 2014 16:27:45 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=tCGqoH2u2IHwILkSSpus3hIoPrFfLWgUM8ZrGwhLvgk=; b=Rgj+YJ1ADAmGadhfkTWX+8DOmSYR1OWtqSjT96IIY025InqoHvQ5Mj4TTFODSUmeh/ jRev6ynOuF4Nvikz7iRFjQOq5ItX9aZQvOhiKedQQlOBMjSf2oI+izPY0r1P9uLlPIm5 j86XyXAVgIA/QsckCTmP1EIY8ZujGi6hmA8kvpXb0eo/sL41rZdHSBKboKHWpsdrzmTr X2mdgSIh+jDyOqIT9DGf4ViIN7ApKtRLYF+BWM+XOh7j//kBh67pbJMKnSX75jRqnBPR 9fBShEde+g4xBkpYynGgFgfFRxY5ImdycYkwMoIziXvBQ9zgW0LxRv0S+DED7hTVpXvE utYA== X-Received: by 10.180.96.6 with SMTP id do6mr13729250wib.44.1402763253749; Sat, 14 Jun 2014 09:27:33 -0700 (PDT) In-Reply-To: <20140614162443.GI179@brightrain.aerifal.cx> Xref: news.gmane.org gmane.linux.lib.musl.general:5258 Archived-At: A quick search suggests it's been "patched" in Debian, Redhat, Owl glibc packages at least, but not upstream yet for some reason. If that libc-alpha commit makes it through (eventually!) then agreed, this is no longer an issue. On 14 June 2014 17:24, Rich Felker wrote: > On Sat, Jun 14, 2014 at 08:14:01PM +0400, Solar Designer wrote: >> Rich, >> >> On Sat, Jun 14, 2014 at 12:02:43PM -0400, Rich Felker wrote: >> > (Actually, I think >> > this issue may be fixed in modern glibc ldd, but I'm not sure.) >> >> IIRC, we have this worked around in patched glibc's ldd on Owl by having >> it always explicitly run the program through /lib/ld-linux.so.2, which >> obviously does interpret its env vars that the ldd script sets. That ldd >> script assumes glibc's /lib/ld-linux.so.2 anyway (env vars, exit codes). > > One improvement to this, if one wants to support multiple glibc > installations with different interpreters, would be parsing the > PT_INTERP from the binary, then exec'ing it in a way that inhibits > suid if the pointed-to binary happens to be suid. (One idea is > open+fstat+fexecve; another is ptrace+exec, where ptrace just serves > to inhibit suid.) > >> I don't know why upstream glibc would not(?) patch the issue that way. >> It's a trivial change. Is there some WONTFIX for this in glibc Bugzilla >> already? Sounds like material for your blog if so. ;-) > > There was a new patch for this issue on the libc-alpha list back in > March of this year, but I don't think it's been committed yet. See > "[PATCH] Never try to execute the file in ldd", Message-ID: > . > > Rich