Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 342619 - sys-libs/glibc fails to sanitize environment for setuid binaries
Summary: sys-libs/glibc fails to sanitize environment for setuid binaries
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Toolchain Maintainers
Depends on:
Reported: 2010-10-25 11:22 UTC by Pavel Labushev
Modified: 2010-10-27 01:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

fix (glibc-2.11-fix-unsecure_envvars.patch,3.57 KB, patch)
2010-10-25 11:23 UTC, Pavel Labushev
Details | Diff
to supplement the fix (glibc-2.11-more-unsecvars.patch,663 bytes, patch)
2010-10-27 01:50 UTC, Pavel Labushev
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Pavel Labushev 2010-10-25 11:22:58 UTC
sys-libs/glibc fails to sanitize environment for setuid binaries.

In process_envvars function in elf/rtld.c a sanitization code exists to prevent environment variables listed in UNSECURE_ENVVARS (defined in sysdeps/generic/unsecvars.h), like LD_PRELOAD, LD_AUDIT, etc from being handled by setuid binaries.

But the handling code for LD_* variables runs before (!) the sanitizing code, making it possible to exploit vulnerabilities like the recent ones in glibc related to LD_AUDIT.

The order of code execution must be adjusted to perform sanitization before handling of LD_* variables.
Comment 1 Pavel Labushev 2010-10-25 11:23:34 UTC
Created attachment 251933 [details, diff]
Comment 2 SpanKY gentoo-dev 2010-10-26 01:30:35 UTC
that patch really should be sent upstream to
Comment 3 Pavel Labushev 2010-10-26 06:50:34 UTC
(In reply to comment #2)
> that patch really should be sent upstream to

It's clear the upstream won't accept it. They try to handle each insercure LD_* variable in a secure way for setuid/setgid binaries (and occasionally fail).

So it's up to Gentoo to accept the patch or not. Maybe just for glibc[hardened] or for glibc[-debug].

But please, don't underestimate the risks. To quote Tavis Ormandy:
<taviso> my money is on LD_HWCAP_MASK breaking next, it's just plain wrong.

And note that LD_HWCAP_MASK is handled in the same loop before unsecure_envvars filtering, so just adding it to UNSECURE_ENVVARS would give nothing for security.
Comment 4 Pavel Labushev 2010-10-27 01:50:32 UTC
Created attachment 252129 [details, diff]
to supplement the fix

If anyone cares, more UNSECURE_ENVVARS as per recommendation of Tavis Ormandy.