Patchwork CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 programs [BZ #21624]

login
register
mail settings
Submitter Florian Weimer
Date June 19, 2017, 3:38 p.m.
Message ID <20170619153832.8DC2F402AEC3C@oldenburg.str.redhat.com>
Download mbox | patch
Permalink /patch/21089/
State Committed
Headers show

Comments

Florian Weimer - June 19, 2017, 3:38 p.m.
LD_LIBRARY_PATH can only be used to reorder system search paths, which
is not useful functionality.

This makes an exploitable unbounded alloca in _dl_init_paths unreachable
for AT_SECURE=1 programs.

2017-06-19  Florian Weimer  <fweimer@redhat.com>

	[BZ #21624]
	CVE-2017-1000366
	* elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for
	__libc_enable_secure.
Dmitry Levin - June 19, 2017, 4:23 p.m.
On Mon, Jun 19, 2017 at 05:38:32PM +0200, Florian Weimer wrote:
> LD_LIBRARY_PATH can only be used to reorder system search paths, which
> is not useful functionality.
> 
> This makes an exploitable unbounded alloca in _dl_init_paths unreachable
> for AT_SECURE=1 programs.
> 
> 2017-06-19  Florian Weimer  <fweimer@redhat.com>
> 
> 	[BZ #21624]
> 	CVE-2017-1000366
> 	* elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for
> 	__libc_enable_secure.

This is fine, please apply.

Patch

diff --git a/elf/rtld.c b/elf/rtld.c
index 2446a87..2269dbe 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -2422,7 +2422,8 @@  process_envvars (enum mode *modep)
 
 	case 12:
 	  /* The library search path.  */
-	  if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "LIBRARY_PATH", 12) == 0)
 	    {
 	      library_path = &envline[13];
 	      break;