This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug dynamic-link/22625] RPATH $ORIGIN replaced by PWD for AT_SECURE/SUID binaries or if /proc is not mounted (CVE-2017-16997)


https://sourceware.org/bugzilla/show_bug.cgi?id=22625

--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  3e3c904daef69b8bf7d5cc07f793c9f07c3553ef (commit)
      from  c48831d0eebf876d986919baf2d9240a79192837 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3e3c904daef69b8bf7d5cc07f793c9f07c3553ef

commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sat Dec 30 10:54:23 2017 +0100

    elf: Check for empty tokens before dynamic string token expansion [BZ
#22625]

    The fillin_rpath function in elf/dl-load.c loops over each RPATH or
    RUNPATH tokens and interprets empty tokens as the current directory
    ("./"). In practice the check for empty token is done *after* the
    dynamic string token expansion. The expansion process can return an
    empty string for the $ORIGIN token if __libc_enable_secure is set
    or if the path of the binary can not be determined (/proc not mounted).

    Fix that by moving the check for empty tokens before the dynamic string
    token expansion. In addition, check for NULL pointer or empty strings
    return by expand_dynamic_string_token.

    The above changes highlighted a bug in decompose_rpath, an empty array
    is represented by the first element being NULL at the fillin_rpath
    level, but by using a -1 pointer in decompose_rpath and other functions.

    Changelog:
        [BZ #22625]
        * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
        string token expansion. Check for NULL pointer or empty string possibly
        returned by expand_dynamic_string_token.
        (decompose_rpath): Check for empty path after dynamic string
        token expansion.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog     |   10 ++++++++++
 NEWS          |    4 ++++
 elf/dl-load.c |   49 +++++++++++++++++++++++++++++++++----------------
 3 files changed, 47 insertions(+), 16 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]