sys-libs/glibc fails to sanitize environment for setuid binaries. In process_envvars function in elf/rtld.c a sanitization code exists to prevent environment variables listed in UNSECURE_ENVVARS (defined in sysdeps/generic/unsecvars.h), like LD_PRELOAD, LD_AUDIT, etc from being handled by setuid binaries. But the handling code for LD_* variables runs before (!) the sanitizing code, making it possible to exploit vulnerabilities like the recent ones in glibc related to LD_AUDIT. The order of code execution must be adjusted to perform sanitization before handling of LD_* variables.
Created attachment 251933 [details, diff] fix
that patch really should be sent upstream to libc-alpha@sourceware.org
(In reply to comment #2) > that patch really should be sent upstream to libc-alpha@sourceware.org It's clear the upstream won't accept it. They try to handle each insercure LD_* variable in a secure way for setuid/setgid binaries (and occasionally fail). So it's up to Gentoo to accept the patch or not. Maybe just for glibc[hardened] or for glibc[-debug]. But please, don't underestimate the risks. To quote Tavis Ormandy: <taviso> my money is on LD_HWCAP_MASK breaking next, it's just plain wrong. And note that LD_HWCAP_MASK is handled in the same loop before unsecure_envvars filtering, so just adding it to UNSECURE_ENVVARS would give nothing for security.
Created attachment 252129 [details, diff] to supplement the fix If anyone cares, more UNSECURE_ENVVARS as per recommendation of Tavis Ormandy.