glibc: close privil. escalation hole ($origin libpath) with S/GUID.
[ipfire-2.x.git] / src / patches / glibc-2.3.6-dont_use_origin_on_privil_exec.patch
1 diff -Naur glibc-2.3.6.org/elf/dl-load.c glibc-2.3.6/elf/dl-load.c
2 --- glibc-2.3.6.org/elf/dl-load.c 2005-04-06 04:50:10.000000000 +0200
3 +++ glibc-2.3.6/elf/dl-load.c 2010-10-19 17:41:09.000000000 +0200
4 @@ -176,8 +176,7 @@
5
6
7 static size_t
8 -is_dst (const char *start, const char *name, const char *str,
9 - int is_path, int secure)
10 +is_dst (const char *start, const char *name, const char *str, int is_path)
11 {
12 size_t len;
13 bool is_curly = false;
14 @@ -206,11 +205,6 @@
15 && (!is_path || name[len] != ':'))
16 return 0;
17
18 - if (__builtin_expect (secure, 0)
19 - && ((name[len] != '\0' && (!is_path || name[len] != ':'))
20 - || (name != start + 1 && (!is_path || name[-2] != ':'))))
21 - return 0;
22 -
23 return len;
24 }
25
26 @@ -225,13 +219,12 @@
27 {
28 size_t len;
29
30 - /* $ORIGIN is not expanded for SUID/GUID programs (except if it
31 - is $ORIGIN alone) and it must always appear first in path. */
32 + /* $ORIGIN is not expanded for SUID/GUID programs. */
33 ++name;
34 - if ((len = is_dst (start, name, "ORIGIN", is_path,
35 - INTUSE(__libc_enable_secure))) != 0
36 - || (len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0
37 - || (len = is_dst (start, name, "LIB", is_path, 0)) != 0)
38 + if (((len = is_dst (start, name, "ORIGIN", is_path)) != 0
39 + && !INTUSE(__libc_enable_secure))
40 + || (len = is_dst (start, name, "PLATFORM", is_path)) != 0
41 + || (len = is_dst (start, name, "LIB", is_path)) != 0)
42 ++cnt;
43
44 name = strchr (name + len, '$');
45 @@ -263,12 +256,17 @@
46 size_t len;
47
48 ++name;
49 - if ((len = is_dst (start, name, "ORIGIN", is_path,
50 - INTUSE(__libc_enable_secure))) != 0)
51 - repl = l->l_origin;
52 - else if ((len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0)
53 + if ((len = is_dst (start, name, "ORIGIN", is_path)) != 0)
54 + {
55 + // Ignore this path at SUID/GUID
56 + if (INTUSE(__libc_enable_secure))
57 + repl = (const char *) -1;
58 + else
59 + repl = l->l_origin;
60 + }
61 + else if ((len = is_dst (start, name, "PLATFORM", is_path)) != 0)
62 repl = GLRO(dl_platform);
63 - else if ((len = is_dst (start, name, "LIB", is_path, 0)) != 0)
64 + else if ((len = is_dst (start, name, "LIB", is_path)) != 0)
65 repl = DL_DST_LIB;
66
67 if (repl != NULL && repl != (const char *) -1)