On 10/08/2015 04:44 AM, Florian Weimer wrote:
On 09/05/2015 06:39 PM, Hector Marco-Gisbert wrote:
A weakness in the dynamic loader have been found, Glibc prior to
2.22.90 are affected. The issue is that the LD_POINTER_GUARD in the
environment is not sanitized allowing local attackers easily to bypass
the pointer guarding protection on set-user-ID and set-group-ID
programs.
Details of the weakness:
http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html
This patch prevents to disable the pointer guarding protection for
set-user-ID/set-group-ID programs.
For example, executing "LD_POINTER_GUARD=0 /bin/ping" does not disable
the pointer guarding protection unless it is directly executed by root
(rUID==eUID).
Does anyone actually use LD_POINTER_GUARD for debugging? Maybe we can
simply retire the environment variable instead.
I vote we remove it. It has long since passed the point of usefullness.
With a proper tunables infrastructure we would have added it in one
release while we tested things, and then removed it one or two releases
later.