[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Fixing the glibc runtime linker
From: John Haxby <john.haxby () oracle ! com>
Date: 2015-02-25 12:36:02
Message-ID: 54EDC1B2.9000602 () oracle ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 19/02/15 22:19, Tim Brown wrote:
> What's the fix?
>
> More often than not, the underlying issue is an empty element
> within the DT_RPATH header or equivalent. Sometimes it's not, but
> even in those cases, it is largely that one or more elements isn't
> qualifed (i.e. it doesn't start with /). The attached patch fixes
> this, by ignoring any elements of DT_RPATH, LD_LIBRARY_PATH that
> do not start with a /, and/or junking any use of dlopen where the
> filename is likewise unqualified.
What about things like -Wl,-rpath=/tmp ?
That one is particularly egregious and, as Casper mentioned, there are
other ways of getting stupid RPATHs. I've seen a fair number of them :)
Would it be useful to check to see if and rpath directory is not
writable by the someone other than the uid/euid? Of course, it does
nothing for an RPATH that goes over NFS.
The Fedora packaging guidelines forbid the use of rpath completely
which is beginning to look more and more attractive.
jch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iF4EAREIAAYFAlTtwaYACgkQRQu7fpQvo8ihGAD/fppL/PSXpLep2TVz4Eh5G/ch
NxyTZXDIpXs0DAZTNuAA/RDQ7KBXT/43McHtHMHKFPlMWGnjEEkaAZ8MNQcle0Cs
=mnPH
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic