CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 programs [BZ #21624]

LD_LIBRARY_PATH can only be used to reorder system search paths, which
is not useful functionality.

This makes an exploitable unbounded alloca in _dl_init_paths unreachable
for AT_SECURE=1 programs.

diff --git a/ChangeLog b/ChangeLog
index 90439b874c2c95ae09c4f49e4d45300bb8f950fd..3b61f167d2271aee2d920a7fd7071a4aa464ff43 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2017-06-19  Florian Weimer  <fweimer@redhat.com>
+
+       [BZ #21624]
+       CVE-2017-1000366
+       * elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for
+       __libc_enable_secure.
+
 2017-06-19  Stefan Liebler  <stli@linux.vnet.ibm.com>
 
        [BZ #21539]

diff --git a/elf/rtld.c b/elf/rtld.c
index 2446a87680e9a85190120c26b6c4276a7ec1929e..2269dbec8100a519a7630f576a9f0fc73a62868e 100644 (file)
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep)
 
        case 12:
          /* The library search path.  */
-         if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
+         if (!__libc_enable_secure
+             && memcmp (envline, "LIBRARY_PATH", 12) == 0)
            {
              library_path = &envline[13];
              break;