diff mbox

ldd: never run file directly

Message ID b7bba2c1-b089-ef59-25f6-784e3728dbe0@redhat.com
State Committed
Headers

Commit Message

Florian Weimer Aug. 16, 2017, 1:48 p.m. UTC 
  We have this old patch in our packages.  I think most distributions use
something similar, as a guard against surprises.

Can we finally apply this upstream?

Thanks,
Florian

Comments

Carlos O'Donell Aug. 16, 2017, 1:56 p.m. UTC | #1 
On 08/16/2017 09:48 AM, Florian Weimer wrote:
> We have this old patch in our packages.  I think most distributions use
> something similar, as a guard against surprises.
> 
> Can we finally apply this upstream?

Yes please.

This is ridiculous behaviour on the part of upstream, you have no idea
what interpreter is encoded into the binary you are about to run, and
therefore should never run it directly for security reason.

The goal of ldd is always to print information about the program without
having to run it. We don't yet have a finished eu-ldd :-)
 
> From 83e5edd390eabe8f8e8e0d051f929b77a30c0767 Mon Sep 17 00:00:00 2001
> From: Andreas Schwab <schwab@redhat.com>
> Date: Fri, 18 Mar 2011 16:22:52 +0100
> Subject: [PATCH] ldd: never run file directly
> 
> * elf/ldd.bash.in: Never run file directly.
> 
> ---
>  ChangeLog       |    4 ++++
>  elf/ldd.bash.in |   14 +-------------
>  2 files changed, 5 insertions(+), 13 deletions(-)
> 
> --- a/elf/ldd.bash.in
> +++ b/elf/ldd.bash.in
> @@ -166,18 +166,6 @@ warning: you do not have execution permission for" "\`$file'" >&2
>        fi
>      done
>      case $ret in
> -    0)
> -      # If the program exits with exit code 5, it means the process has been
> -      # invoked with __libc_enable_secure.  Fall back to running it through
> -      # the dynamic linker.
> -      try_trace "$file"
> -      rc=$?
> -      if [ $rc = 5 ]; then
> -	try_trace "$RTLD" "$file"
> -	rc=$?
> -      fi
> -      [ $rc = 0 ] || result=1
> -      ;;

OK. This code is dangerous and depending on PT_INTERP can run anything
that might not honour the LD_DEBUG tracing options and therefore
execute a program you didn't intend to run as your user.

>      1)
>        # This can be a non-ELF binary or no binary at all.
>        nonelf "$file" || {
> @@ -185,7 +173,7 @@ warning: you do not have execution permission for" "\`$file'" >&2
>  	result=1
>        }
>        ;;
> -    2)
> +    0|2)
>        try_trace "$RTLD" "$file" || result=1
>        ;;
>      *)

OK.
Andreas Schwab Aug. 16, 2017, 2:11 p.m. UTC | #2 
On Aug 16 2017, Florian Weimer <fweimer@redhat.com> wrote:

> We have this old patch in our packages.  I think most distributions use
> something similar, as a guard against surprises.
>
> Can we finally apply this upstream?
>
> Thanks,
> Florian
>
> From 83e5edd390eabe8f8e8e0d051f929b77a30c0767 Mon Sep 17 00:00:00 2001
> From: Andreas Schwab <schwab@redhat.com>
> Date: Fri, 18 Mar 2011 16:22:52 +0100
> Subject: [PATCH] ldd: never run file directly
>
> * elf/ldd.bash.in: Never run file directly.

This is BZ #16750, CVE-2009-5064.

Andreas.
Dmitry V. Levin Aug. 16, 2017, 2:20 p.m. UTC | #3 
On Wed, Aug 16, 2017 at 03:48:18PM +0200, Florian Weimer wrote:
> We have this old patch in our packages.  I think most distributions use
> something similar, as a guard against surprises.

We patch ldd this way for 15 years already.

> Can we finally apply this upstream?

Yes, please.
Florian Weimer Aug. 16, 2017, 2:21 p.m. UTC | #4 
On 08/16/2017 04:11 PM, Andreas Schwab wrote:
> On Aug 16 2017, Florian Weimer <fweimer@redhat.com> wrote:
> 
>> We have this old patch in our packages.  I think most distributions use
>> something similar, as a guard against surprises.
>>
>> Can we finally apply this upstream?
>>
>> Thanks,
>> Florian
>>
>> From 83e5edd390eabe8f8e8e0d051f929b77a30c0767 Mon Sep 17 00:00:00 2001
>> From: Andreas Schwab <schwab@redhat.com>
>> Date: Fri, 18 Mar 2011 16:22:52 +0100
>> Subject: [PATCH] ldd: never run file directly
>>
>> * elf/ldd.bash.in: Never run file directly.
> 
> This is BZ #16750, CVE-2009-5064.

Thanks.  What about this NEWS entry for it?

+  CVE-2009-5064: The ldd script would sometimes run the program under
+  examination directly, without preventing code execution through the
+  dynamic linker.  (The glibc project disputes that this is a security
+  vulnerability; only trusted binaries must be examined using the ldd
+  script.)

Thanks,
Florian
Andreas Schwab Aug. 16, 2017, 2:46 p.m. UTC | #5 
On Aug 16 2017, Florian Weimer <fweimer@redhat.com> wrote:

> Thanks.  What about this NEWS entry for it?
>
> +  CVE-2009-5064: The ldd script would sometimes run the program under
> +  examination directly, without preventing code execution through the
> +  dynamic linker.  (The glibc project disputes that this is a security
> +  vulnerability; only trusted binaries must be examined using the ldd
> +  script.)

Looks ok.

Andreas.
diff mbox

Patch

From 83e5edd390eabe8f8e8e0d051f929b77a30c0767 Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@redhat.com>
Date: Fri, 18 Mar 2011 16:22:52 +0100
Subject: [PATCH] ldd: never run file directly

* elf/ldd.bash.in: Never run file directly.

---
 ChangeLog       |    4 ++++
 elf/ldd.bash.in |   14 +-------------
 2 files changed, 5 insertions(+), 13 deletions(-)

--- a/elf/ldd.bash.in
+++ b/elf/ldd.bash.in
@@ -166,18 +166,6 @@  warning: you do not have execution permission for" "\`$file'" >&2
       fi
     done
     case $ret in
-    0)
-      # If the program exits with exit code 5, it means the process has been
-      # invoked with __libc_enable_secure.  Fall back to running it through
-      # the dynamic linker.
-      try_trace "$file"
-      rc=$?
-      if [ $rc = 5 ]; then
-	try_trace "$RTLD" "$file"
-	rc=$?
-      fi
-      [ $rc = 0 ] || result=1
-      ;;
     1)
       # This can be a non-ELF binary or no binary at all.
       nonelf "$file" || {
@@ -185,7 +173,7 @@  warning: you do not have execution permission for" "\`$file'" >&2
 	result=1
       }
       ;;
-    2)
+    0|2)
       try_trace "$RTLD" "$file" || result=1
       ;;
     *)