This is the mail archive of the libc-hacker@sources.redhat.com mailing list for the glibc project.
Note that libc-hacker is a closed list. You may look at the archives of this list, but subscription and posting are not open.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
On Wed, Aug 18, 2004 at 10:41:35AM +0200, Thorsten Kukuk wrote: > > Hi, > > Gentoo has issued an advisory: > http://www.gentoo.org/security/en/glsa/glsa-200408-16.xml > > "An attacker can gain the list of symbols a SUID application uses and their That's true. > locations LD_DEBUG=all doesn't give you exact addresses of symbols (but LD_TRACE_PRELINKING=1 does, maybe we should turn that off for __libc_enable_secure and missing /etc/suid-debug). It only tells you which libraries' symbols are used. > and can then use a trojaned library taking precendence over those > symbols to gain information This is wrong. You can't LD_PRELOAD a trojaned library to a suid binary (unless it is in the standard paths and sgid I think) nor you can use LD_LIBRARY_PATH to trick it in any way. > or perform further exploitation." > > with the following patch: > > http://www.gentoo.org/cgi-bin/viewcvs.cgi/sys-libs/glibc/files/glibc-sec-hotfix-20040804.patch?rev=1.1&content-type=text/vnd.viewcvs-markup BTW, * Fixes a glibc bug where certain envvars are interpreted even if UNSECURE_ENVVARS says to drop them is wrong, they are interpreted on purpose, but with caution if __libc_enable_secure. Jakub
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |