Bug 682998

Summary: glibc: improve ldd safety
Product: [Fedora] Fedora Reporter: Tomas Hoger <thoger>
Component: glibcAssignee: Andreas Schwab <schwab>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: fweimer, jakub, schwab, sgrubb
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 531160 Environment:
Last Closed: 2011-07-26 11:56:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2011-03-08 09:22:02 UTC 
Cloning for Rawhide.  While folks may disagree on the implications of the flaw, a non-intrusive fix for this exists, which does not seem to have negative side effects.  The patch is in use by couple of distributions for some time.


+++ This bug was initially created as a clone of Bug #531160 +++

The ldd attempts to display a list of dynamic linkages by executing the target binary with an "magic environment" setting.  For a normal binary that's been compiled and linked with glibc and the normal GNU linker this will be adequate.

However, crafted sources linked against an alternative library and linker can execute arbitrary code in lieu (or in addition to) this.

Because most sysadmins are not aware of this behavior they will have the (reasonable) expectation that ldd is inspecting the target's headers (as data) rather than EXECUTING them.  This makes ldd an ideal mechanism for social engineering exploits by users against sysadmins or site developers.

Detailed explanation and sample code has been found on:

http://www.catonmat.net/blog/ldd-arbitrary-code-execution/

--- Additional comment from drepper.fsp@... on 2009-11-24 21:57:52 EST ---

This is just nonsense.  There are a gazillion other ways to introduce code if people are downloading arbitrary binaries and install them in appropriate directories or set LD_LIBRARY_PATH etc.  Just don't do that.

--- Additional comment from thoger@... on 2011-02-02 09:19:20 EST ---

Created attachment 476574 [details]
local-ldd.diff

ldd patch from the Debian eglibc packages.  It avoids this issue by ensuring that ldd always does:

  LD_TRACE_LOADED_OBJECTS=1 /lib/ld-linux.so.2 /path/to/ELF-lib-or-binary

rather than:

  LD_TRACE_LOADED_OBJECTS=1 /path/to/ELF-lib-or-binary

This change is not part of upstream glibc.  I don't seem to be able to find any reference to this change on sourceware.org, so I'm not sure if it was ever proposed upstream.  Does it this change break any expected use to explain why this fix should not make it upstream?

--- Additional comment from thoger@... on 2011-03-08 04:06:24 EST ---

(In reply to comment #2)
> ldd patch from the Debian eglibc packages.  It avoids this issue by ensuring
> that ldd always does:
> 
>   LD_TRACE_LOADED_OBJECTS=1 /lib/ld-linux.so.2 /path/to/ELF-lib-or-binary
> 
> rather than:
> 
>   LD_TRACE_LOADED_OBJECTS=1 /path/to/ELF-lib-or-binary

Apparently, Owl / ALT Linux is using the similar approach for a quite some time too:

http://thread.gmane.org/gmane.comp.security.oss.general/4427/focus=4428
http://cvsweb.openwall.com/cgi/cvsweb.cgi/~checkout~/Owl/packages/glibc/glibc-2.3.6-owl-alt-ldd.diff
http://git.altlinux.org/gears/g/glibc.git?p=glibc.git;a=commitdiff;h=788577027d2950e9508a434475e04c3af864d169