Bug 2432405

Summary: glibc: Ignore LD_PROFILE if LD_PROFILE_OUTPUT is not set
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: glibcAssignee: Florian Weimer <fweimer>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 42CC: arjun, codonell, dj, fberat, fweimer, jlaw, josmyers, mcermak, mcoufal, mfabian, pfrankli, sipoyare, skolosov, suraj.ghimire7
Target Milestone: ---Flags: fweimer: mirror+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: glibc-2.41-16.fc42 glibc-2.42-9.fc43 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-01-27 04:53:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Florian Weimer 2026-01-23 16:24:30 UTC 
Backport this upstream patch:

commit 7b543dcdf97d07fd4346feb17916e08fe83ad0ae
Author: Florian Weimer <fweimer>
Date:   Thu Jan 15 22:29:46 2026 +0100

    elf: Ignore LD_PROFILE if LD_PROFILE_OUTPUT is not set (bug 33797)
    
    The previous default for LD_PROFILE_OUTPUT, /var/tmp, is insecure
    because it's typically a 1777 directory, and other systems could
    place malicious files there which interfere with execution.
    
    Requiring the user to specify a profiling directory mitigates
    the impact of bug 33797.  Clear LD_PROFILE_OUTPUT alongside
    with LD_PROFILE.
    
    Rework the test not to use predictable file names.
    
    Reviewed-by: Carlos O'Donell <carlos>


Reproducible: Always
Comment 1 Fedora Update System 2026-01-24 09:21:32 UTC 
FEDORA-2026-205d532069 (glibc-2.42-9.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-205d532069
Comment 2 Fedora Update System 2026-01-25 01:50:03 UTC 
FEDORA-2026-205d532069 has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-205d532069`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-205d532069

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 3 Fedora Update System 2026-01-27 04:53:23 UTC 
FEDORA-2026-205d532069 (glibc-2.42-9.fc43) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.