Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 1 Dec 2009 17:09:57 +0300
From:      "Vasim Valejev" <vasim@resume-bank.ru>
To:        <freebsd-security@freebsd.org>
Subject:   LD_PRELOAD temporary patch
Message-ID:  <025901ca728f$f7565340$0132a8c0@fb4e97440cc340b>
next in thread | raw e-mail | index | archive | help 

I've used that patch to close the hole. This patch is temporary and doesn't fix real trouble maker - problem in new version in getenv() (after 6.3 it got changed to something monstrous and non-working right if environment has only one variable), hope it will get fixed soon.

*** rtld.c.orig Tue Dec  1 16:55:13 2009
--- rtld.c      Tue Dec  1 16:55:55 2009
***************
*** 357,374 ****
       * is called.  If any child process calls setuid(2) we do not want any
       * future processes to honor the potentially un-safe variables.
       */
      if (!trust) {
          unsetenv(LD_ "PRELOAD");
          unsetenv(LD_ "LIBMAP");
          unsetenv(LD_ "LIBRARY_PATH");
          unsetenv(LD_ "LIBMAP_DISABLE");
          unsetenv(LD_ "DEBUG");
      }
-     ld_debug = getenv(LD_ "DEBUG");
-     libmap_disable = getenv(LD_ "LIBMAP_DISABLE") != NULL;
-     libmap_override = getenv(LD_ "LIBMAP");
-     ld_library_path = getenv(LD_ "LIBRARY_PATH");
-     ld_preload = getenv(LD_ "PRELOAD");
      dangerous_ld_env = libmap_disable || (libmap_override != NULL) ||
        (ld_library_path != NULL) || (ld_preload != NULL);
      ld_tracing = getenv(LD_ "TRACE_LOADED_OBJECTS");
--- 357,379 ----
       * is called.  If any child process calls setuid(2) we do not want any
       * future processes to honor the potentially un-safe variables.
       */
+     ld_preload = getenv(LD_ "PRELOAD");
+     libmap_override = getenv(LD_ "LIBMAP");
+     ld_library_path = getenv(LD_ "LIBRARY_PATH");
+     libmap_disable = getenv(LD_ "LIBMAP_DISABLE") != NULL;
+     ld_debug = getenv(LD_ "DEBUG");
      if (!trust) {
+         ld_preload = NULL;
+         libmap_override = NULL;
+         ld_library_path = NULL;
+         libmap_disable = 0;
+         ld_debug = NULL;
          unsetenv(LD_ "PRELOAD");
          unsetenv(LD_ "LIBMAP");
          unsetenv(LD_ "LIBRARY_PATH");
          unsetenv(LD_ "LIBMAP_DISABLE");
          unsetenv(LD_ "DEBUG");
      }
      dangerous_ld_env = libmap_disable || (libmap_override != NULL) ||
          (ld_library_path != NULL) || (ld_preload != NULL);
      ld_tracing = getenv(LD_ "TRACE_LOADED_OBJECTS");

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?025901ca728f$f7565340$0132a8c0>