sys-libs/glibc fails to sanitize environment for setuid binaries.
In process_envvars function in elf/rtld.c a sanitization code exists to prevent environment variables listed in UNSECURE_ENVVARS (defined in sysdeps/generic/unsecvars.h), like LD_PRELOAD, LD_AUDIT, etc from being handled by setuid binaries.
But the handling code for LD_* variables runs before (!) the sanitizing code, making it possible to exploit vulnerabilities like the recent ones in glibc related to LD_AUDIT.
The order of code execution must be adjusted to perform sanitization before handling of LD_* variables.
Created attachment 251933 [details, diff]
that patch really should be sent upstream to email@example.com
(In reply to comment #2)
> that patch really should be sent upstream to firstname.lastname@example.org
It's clear the upstream won't accept it. They try to handle each insercure LD_* variable in a secure way for setuid/setgid binaries (and occasionally fail).
So it's up to Gentoo to accept the patch or not. Maybe just for glibc[hardened] or for glibc[-debug].
But please, don't underestimate the risks. To quote Tavis Ormandy:
<taviso> my money is on LD_HWCAP_MASK breaking next, it's just plain wrong.
And note that LD_HWCAP_MASK is handled in the same loop before unsecure_envvars filtering, so just adding it to UNSECURE_ENVVARS would give nothing for security.
Created attachment 252129 [details, diff]
to supplement the fix
If anyone cares, more UNSECURE_ENVVARS as per recommendation of Tavis Ormandy.