This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] ldd: never run file directly
- From: Florian Weimer <fweimer at redhat dot com>
- To: Andreas Schwab <schwab at suse dot de>
- Cc: GNU C Library <libc-alpha at sourceware dot org>
- Date: Wed, 16 Aug 2017 16:21:45 +0200
- Subject: Re: [PATCH] ldd: never run file directly
- Authentication-results: sourceware.org; auth=none
- Authentication-results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
- Authentication-results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=fweimer at redhat dot com
- Dmarc-filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 2F133C00DBB9
- References: <b7bba2c1-b089-ef59-25f6-784e3728dbe0@redhat.com> <mvmfucrsiv3.fsf@suse.de>
On 08/16/2017 04:11 PM, Andreas Schwab wrote:
> On Aug 16 2017, Florian Weimer <fweimer@redhat.com> wrote:
>
>> We have this old patch in our packages. I think most distributions use
>> something similar, as a guard against surprises.
>>
>> Can we finally apply this upstream?
>>
>> Thanks,
>> Florian
>>
>> From 83e5edd390eabe8f8e8e0d051f929b77a30c0767 Mon Sep 17 00:00:00 2001
>> From: Andreas Schwab <schwab@redhat.com>
>> Date: Fri, 18 Mar 2011 16:22:52 +0100
>> Subject: [PATCH] ldd: never run file directly
>>
>> * elf/ldd.bash.in: Never run file directly.
>
> This is BZ #16750, CVE-2009-5064.
Thanks. What about this NEWS entry for it?
+ CVE-2009-5064: The ldd script would sometimes run the program under
+ examination directly, without preventing code execution through the
+ dynamic linker. (The glibc project disputes that this is a security
+ vulnerability; only trusted binaries must be examined using the ldd
+ script.)
Thanks,
Florian