In addition to fixing an LD_DEBUG vulnerability (GLSA 200408-16), glibc-sec-hotfix-20040916.patch moves the cleansing of the LD_ environment to before the environment is saved for the current process. This disables LD_PRELOAD for all setuid/setgid binaries. This part of the patch did not make it into the glibc CVS repository, and does not appear in glibc-20050125-r1. Reproducible: Always Steps to Reproduce: > sudo chmod 4444 /lib/libz.so > sudo chmod 4755 /usr/bin/strace > /usr/bin/strace -e open -E LD_PRELOAD=libz.so /bin/login 2>&1 | grep libz Actual Results: With glibc versions before 2.3.4.20050125, libz.so will not be loaded by /bin/login.
*** Bug 86848 has been marked as a duplicate of this bug. ***
isn't LD_PRELOAD seen as a security problem for setuid/setgid programs in general?
Yes, which is why the glibc provided by gnu: 1. requires any LD_PRELOAD libraries for a setuid/setgid executable also be marked setuid/setgid, the assumption being that the administrator knows whether a particular library is safe or not. 2. filters LD_PRELOAD from the environment after performing the resolution, so that no child processes spawned by the setuid/setgid program inherit this setting. The program must reset LD_PRELOAD if necessary...as you can see from my strace example.
we're pushing glibc-2.3.5 which should be OK if you want, post an updated glibc-sec-hotfix-20040916.patch and i'll merge it, otherwise i'll just leave this as resolved
