This is the mail archive of the libc-hacker@sources.redhat.com mailing list for the glibc project.

Note that libc-hacker is a closed list. You may look at the archives of this list, but subscription and posting are not open.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]

Security bug for 2.2 -> port to 2.1

To: GNU libc hacker <libc-hacker at sourceware dot cygnus dot com>
Subject: Security bug for 2.2 -> port to 2.1
From: Andreas Jaeger <aj at suse dot de>
Date: 10 Jan 2001 10:57:48 +0100


Hi Uli,

your patch for 2.2 is also needed for 2.1.  Since some folks still
need to maintain a glibc 2.1, I'd like to commit this to 2.1.

Ok to commit?

Andreas

2001-01-08  Ulrich Drepper  <drepper@redhat.com>

	* elf/rtld.c (process_envvars): Place output files for profiling
	in SUID binaries in /var/profile.

	* elf/dl-load.c (_dl_map_object): Don't look in cache for
	preloading in SUID binaries.

	* elf/dl-profile.c (_dl_start_profile): Open the output file with
	O_NOFOLLOW if possible.

	* sysdeps/generic/segfault.c (install_handler): Check output file
	name with access().

============================================================
Index: elf/rtld.c
--- elf/rtld.c	2000/03/15 05:42:01	1.148.2.7
+++ elf/rtld.c	2001/01/10 07:45:19
@@ -1273,7 +1273,7 @@
   char *debug_output = NULL;
 
   /* This is the default place for profiling data file.  */
-  _dl_profile_output = "/var/tmp";
+  _dl_profile_output = __libc_enable_secure ? "/var/profile" : "/var/tmp";
 
   while ((envline = _dl_next_ld_env_entry (&runp)) != NULL)
     {
============================================================
Index: elf/dl-load.c
--- elf/dl-load.c	1999/11/20 02:26:38	1.103.2.5
+++ elf/dl-load.c	2001/01/10 07:45:20
@@ -1338,7 +1338,7 @@
       if (fd == -1 && env_path_list != NULL)
 	fd = open_path (name, namelen, preloaded, env_path_list, &realname);
 
-      if (fd == -1)
+      if (fd == -1 && (! preloaded || ! __libc_enable_secure))
 	{
 	  /* Check the list of libraries in the file /etc/ld.so.cache,
 	     for compatibility with Linux's ldconfig program.  */
============================================================
Index: elf/dl-profile.c
--- elf/dl-profile.c	1998/06/07 13:35:48	1.14
+++ elf/dl-profile.c	2001/01/10 07:45:21
@@ -263,7 +263,12 @@
   *cp++ = '/';
   __stpcpy (__stpcpy (cp, _dl_profile), ".profile");
 
-  fd = __open (filename, O_RDWR | O_CREAT, 0666);
+#ifdef O_NOFOLLOW
+# define EXTRA_FLAGS | O_NOFOLLOW
+#else
+# define EXTRA_FLAGS
+#endif
+  fd = __open (filename, O_RDWR | O_CREAT EXTRA_FLAGS, 0666);
   if (fd == -1)
     {
       /* We cannot write the profiling data so don't do anything.  */
============================================================
Index: sysdeps/generic/segfault.c
--- sysdeps/generic/segfault.c	2000/03/21 04:53:40	1.10.2.2
+++ sysdeps/generic/segfault.c	2001/01/10 07:45:22
@@ -236,6 +236,6 @@
 
   /* Preserve the output file name if there is any given.  */
   name = getenv ("SEGFAULT_OUTPUT_NAME");
-  if (name != NULL && name[0] != '\0')
+  if (name != NULL && name[0] != '\0' && __access (name, R_OK | W_OK) == 0)
     fname = __strdup (name);
 }

-- 
 Andreas Jaeger
  SuSE Labs aj@suse.de
   private aj@arthur.inka.de
    http://www.suse.de/~aj

Follow-Ups:
- Re: Security bug for 2.2 -> port to 2.1
  - From: Ulrich Drepper

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]