Major security vulnerability in gentoo's ldd. Recently I was fooling around musl-libc and I found that any dynamic linked binary produced by musl is executed whenever I do 'ldd binary_name'. I did some research and I found 'ldd can execute an app unexpectedly' at http://seclists.org/oss-sec/2011/q1/428 ldd is wide used in gentoo, even revdep-rebuild is running ldd on very every binary in the system. One of solution would be running ld-linux.so with LD_TRACE_LOADED_OBJECTS=1 and putting binary as a parametr instead of just running binary with LD_TRACE_LOADED_OBJECTS=1 variable. Reproducible: Always
"emerge --info" output please?
What emerge --info can be useful for? Anyway... Portage 2.2.0_alpha43 (default/linux/amd64/10.0, gcc-4.4.5, glibc-2.12.2-r0, 3.0.0-rc6 x86_64) ================================================================= System uname: Linux-3.0.0-rc6-x86_64-Intel-R-_Core-TM-_i5_CPU_M_480_@_2.67GHz-with-gentoo-2.0.3 Timestamp of tree: Mon, 11 Jul 2011 09:30:01 +0000 ccache version 3.1.5 [enabled] app-shells/bash: 4.2_p10 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.2, 3.1.3-r1, 3.2 dev-util/ccache: 3.1.5 dev-util/cmake: 2.8.4-r1 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.0.3 sys-apps/openrc: 0.8.3-r1 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1-r1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.4.5 sys-devel/gcc-config: 1.4.1-r1 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r1 sys-kernel/linux-headers: 2.6.36.1 (virtual/os-headers) sys-libs/glibc: 2.12.2 Repositories: gentoo kde-sunset lcd-filtering foo-overlay Installed sets: ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=native -mtune=generic" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -march=native -mtune=generic" DISTDIR="/var/portage/distfiles" FEATURES="assume-digests binpkg-logs ccache distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="" GENTOO_MIRRORS="http://distfiles.gentoo.org" LC_ALL="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en pl" MAKEOPTS="--quiet -j4" PKGDIR="/var/portage/packages" PORTAGE_COMPRESS="bzip2" PORTAGE_COMPRESS_FLAGS="-9" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/portage/tmp" PORTDIR="/var/portage/tree" PORTDIR_OVERLAY="/var/lib/layman/kde-sunset /var/lib/layman/lcd-filtering /home/slashbeast/src/foo-overlay" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acl alsa amd64 berkdb bzip2 cli cracklib crypt cups cxx dbus dri fontconfig fortran gdbm gpm iconv ipv6 jpeg lcdfilter logrotate mmx modules mudflap multilib ncurses nls nptl nptlonly opengl openmp pam pcre perl png pppd python readline session sse sse2 sse3 ssl ssse3 sysfs tcpd threads tiff truetype unicode vim-syntax vorbis x264 xft xorg xvid zlib zsh-completion" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="braindump flow karbon kexi kpresenter krita tables words" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse synaptics evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en pl" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nouveau nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, PORTAGE_BUNZIP2_COMMAND, PORTAGE_RSYNC_EXTRA_OPTS
To know glibc version
ldd has always operated this way by design. there are no plans to change it. if you want something say, use `lddtree` which uses scanelf. of course, you wont get exactly the same answer (by design) because it's not possible.
I disagree with you. Debian, Ubuntu, Redhat, Alt Linux and Openwall have this fixed, gentoo do not. Simply adding ld-linux would produce error instead of running binary linked against other libc, like: % ldd dropbear ./dropbear: error while loading shared libraries: /usr/lib64/libc.so: invalid ELF header on regular binaries it would work the same, as expected. following your ignorance on marking it as RESOLVED, gentoo will not have it fixed because you feel it works ok as it should, and fix will not change how it work, it will just prevent executing unexpected binary while running ldd.
that isnt what i said. if upstream changes behavior, i have no problem adding their patches to older versions. also, your revdep-rebuild example is irrelevant. that operates on system binaries, not random binaries people download. if someone can inject a binary into the system path, you've already lost.