This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] ldd: never run file directly

From: Andreas Schwab <schwab at suse dot de>
To: Florian Weimer <fweimer at redhat dot com>
Cc: GNU C Library <libc-alpha at sourceware dot org>
Date: Wed, 16 Aug 2017 16:46:08 +0200
Subject: Re: [PATCH] ldd: never run file directly
Authentication-results: sourceware.org; auth=none
References: <b7bba2c1-b089-ef59-25f6-784e3728dbe0@redhat.com> <mvmfucrsiv3.fsf@suse.de> <4dd5e3fd-2c89-2b6c-477c-b83ee8581f7a@redhat.com>

On Aug 16 2017, Florian Weimer <fweimer@redhat.com> wrote:

> Thanks.  What about this NEWS entry for it?
>
> +  CVE-2009-5064: The ldd script would sometimes run the program under
> +  examination directly, without preventing code execution through the
> +  dynamic linker.  (The glibc project disputes that this is a security
> +  vulnerability; only trusted binaries must be examined using the ldd
> +  script.)

Looks ok.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."

References:
- [PATCH] ldd: never run file directly
  - From: Florian Weimer
- Re: [PATCH] ldd: never run file directly
  - From: Andreas Schwab
- Re: [PATCH] ldd: never run file directly
  - From: Florian Weimer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]