ldd: never run file directly

(cherry picked from commit eedca9772e)
2024-11-27 11:43:34 +08:00 · 2017-08-28 19:49:18 +02:00 · 2017-08-28 19:49:18 +02:00 · 6043d77a47
commit 6043d77a47
parent 77db8772bd
3 changed files with 16 additions and 13 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+2017-08-16  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #16750]
+	CVE-2009-5064
+	* elf/ldd.bash.in: Never run file directly.
+
 2017-08-10  Florian Weimer  <fweimer@redhat.com>

 	* inet/net-internal.h (__inet6_scopeid_pton): Remove
--- a/9
+++ b/9
@ -7,8 +7,17 @@ using `glibc' in the "product" field.

 Version 2.26.1

+Security related changes:
+
+  CVE-2009-5064: The ldd script would sometimes run the program under
+  examination directly, without preventing code execution through the
+  dynamic linker.  (The glibc project disputes that this is a security
+  vulnerability; only trusted binaries must be examined using the ldd
+  script.)
+
 The following bugs are resolved with this release:

+  [16750] ldd: Never run file directly.
  [21242] assert: Suppress pedantic warning caused by statement expression
  [21780] posix: Set p{read,write}v2 to return ENOTSUP
  [21871] x86-64: Use _dl_runtime_resolve_opt only with AVX512F
--- a/elf/ldd.bash.in
+++ b/elf/ldd.bash.in
@ -164,18 +164,6 @@ warning: you do not have execution permission for" "\`$file'" >&2
      fi
    done
    case $ret in
-    0)
-      # If the program exits with exit code 5, it means the process has been
-      # invoked with __libc_enable_secure.  Fall back to running it through
-      # the dynamic linker.
-      try_trace "$file"
-      rc=$?
-      if [ $rc = 5 ]; then
-	try_trace "$RTLD" "$file"
-	rc=$?
-      fi
-      [ $rc = 0 ] || result=1
-      ;;
    1)
      # This can be a non-ELF binary or no binary at all.
      nonelf "$file" || {
@ -183,7 +171,7 @@ warning: you do not have execution permission for" "\`$file'" >&2
 	result=1
      }
      ;;
-    2)
+    0|2)
      try_trace "$RTLD" "$file" || result=1
      ;;
    *)