CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 programs [BZ #21624]
Commit Message
LD_LIBRARY_PATH can only be used to reorder system search paths, which
is not useful functionality.
This makes an exploitable unbounded alloca in _dl_init_paths unreachable
for AT_SECURE=1 programs.
2017-06-19 Florian Weimer <fweimer@redhat.com>
[BZ #21624]
CVE-2017-1000366
* elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for
__libc_enable_secure.
Comments
On Mon, Jun 19, 2017 at 05:38:32PM +0200, Florian Weimer wrote:
> LD_LIBRARY_PATH can only be used to reorder system search paths, which
> is not useful functionality.
>
> This makes an exploitable unbounded alloca in _dl_init_paths unreachable
> for AT_SECURE=1 programs.
>
> 2017-06-19 Florian Weimer <fweimer@redhat.com>
>
> [BZ #21624]
> CVE-2017-1000366
> * elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for
> __libc_enable_secure.
This is fine, please apply.
@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep)
case 12:
/* The library search path. */
- if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
+ if (!__libc_enable_secure
+ && memcmp (envline, "LIBRARY_PATH", 12) == 0)
{
library_path = &envline[13];
break;