From patchwork Mon Jun 19 15:38:32 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 777828 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3wrw9w6xBQz9s0g for ; Tue, 20 Jun 2017 01:38:44 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b="oW+z0Ek9"; dkim-atps=neutral DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:to:subject:mime-version:content-type :content-transfer-encoding:message-id:from; q=dns; s=default; b= gKxhIMrMWlaxGZaPfzjwyFCEONobrgX+oH1hPs+8h+cGL1twYsFmRH8pMA8+uj/y 6xlzgCK9If27vNmsxSA661r6SOI4hFDpYEwX5B9Q+UayjNisgjCWFKWWjEx2xyHw 7sU0BSGVERBHU73oEqUcNLdpIexlWGIAWU9BFMkRiBo= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:to:subject:mime-version:content-type :content-transfer-encoding:message-id:from; s=default; bh=GFg1C1 kTdN3G430m3qQxpnsW0f4=; b=oW+z0Ek9J7NoXBpl/qHmTOi7/h5IIxtGJaYEjC p4093CNYW+7Vu6fYDxVTitb7kJVCooa3oaULO+5VHr75j4sl7rLKqujmMRlcEF6V QUfhLd+zwiSaj4Qw0x6Q5CDyo1dVCctmw5Ej1gt1E3fE11DRDkQ2xG+z2y8siocN pLsEY= Received: (qmail 100375 invoked by alias); 19 Jun 2017 15:38:32 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 100351 invoked by uid 89); 19 Jun 2017 15:38:30 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, SPF_HELO_PASS, T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy= X-HELO: mx1.redhat.com DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B7C9723E6C9 Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=fweimer@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com B7C9723E6C9 Date: Mon, 19 Jun 2017 17:38:32 +0200 To: libc-alpha@sourceware.org Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 programs [BZ #21624] User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Message-Id: <20170619153832.8DC2F402AEC3C@oldenburg.str.redhat.com> From: fweimer@redhat.com (Florian Weimer) LD_LIBRARY_PATH can only be used to reorder system search paths, which is not useful functionality. This makes an exploitable unbounded alloca in _dl_init_paths unreachable for AT_SECURE=1 programs. 2017-06-19 Florian Weimer [BZ #21624] CVE-2017-1000366 * elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for __libc_enable_secure. diff --git a/elf/rtld.c b/elf/rtld.c index 2446a87..2269dbe 100644 --- a/elf/rtld.c +++ b/elf/rtld.c @@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep) case 12: /* The library search path. */ - if (memcmp (envline, "LIBRARY_PATH", 12) == 0) + if (!__libc_enable_secure + && memcmp (envline, "LIBRARY_PATH", 12) == 0) { library_path = &envline[13]; break;