This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 146207 - Information leak with LD_DEBUG
Information leak with LD_DEBUG
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: glibc (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
http://www.gentoo.org/security/en/gls...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-25 18:32 EST by Leonard den Ottolander
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version: 2.3.3-88
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-26 05:08:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Leonard den Ottolander 2005-01-25 18:32:45 EST
Silvio Cesare discovered a potential information leak in glibc. It
allows LD_DEBUG on SUID binaries where it should not be allowed. This
has various security implications, which may be used to gain
confidentional information.

Has this been caught? Might apply to other releases. If so please
propagate.
Comment 1 Jakub Jelinek 2005-01-26 05:08:07 EST
LD_DEBUG as well as LD_TRACE_PRELINKING are disallowed for suid binaries since
glibc-2.3.3-88, FC3 ATM has glibc-2.3.4-2.fc3.
Comment 2 Leonard den Ottolander 2005-01-27 16:32:55 EST
Did you propagate this bug report to other relevant releases/OSes? I
would say RHEL 2.1 and 3 are vulnerable...
Comment 3 Leonard den Ottolander 2005-01-27 16:36:04 EST
Please CC me on new reports for RHEL if you do propagate this report.
Searched bugzilla for LD_DEBUG in the title of reports and other
titles that might be relevant but I didn't find any. Might be an
oversight on my part.

Note You need to log in before you can comment on or make changes to this bug.