c87fdfb605
glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt Patches are identical to upstream, except that the ChangeLog modifications have been stripped. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
36 lines
1 KiB
Diff
36 lines
1 KiB
Diff
From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001
|
|
From: Florian Weimer <fweimer@redhat.com>
|
|
Date: Mon, 19 Jun 2017 17:09:55 +0200
|
|
Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
|
|
programs [BZ #21624]
|
|
|
|
LD_LIBRARY_PATH can only be used to reorder system search paths, which
|
|
is not useful functionality.
|
|
|
|
This makes an exploitable unbounded alloca in _dl_init_paths unreachable
|
|
for AT_SECURE=1 programs.
|
|
|
|
[Peter: Drop ChangeLog modification]
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
---
|
|
elf/rtld.c | 3 ++-
|
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/elf/rtld.c b/elf/rtld.c
|
|
index 2446a87680..2269dbec81 100644
|
|
--- a/elf/rtld.c
|
|
+++ b/elf/rtld.c
|
|
@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep)
|
|
|
|
case 12:
|
|
/* The library search path. */
|
|
- if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
|
|
+ if (!__libc_enable_secure
|
|
+ && memcmp (envline, "LIBRARY_PATH", 12) == 0)
|
|
{
|
|
library_path = &envline[13];
|
|
break;
|
|
--
|
|
2.11.0
|
|
|