I've used that patch to close the hole. This patch is temporary and
doesn't fix real trouble maker - problem in new version in getenv() (after
6.3 it got changed to something monstrous and non-working right if environment
has only one variable), hope it will get fixed soon.
*** rtld.c.orig Tue Dec 1 16:55:13 2009
--- rtld.c Tue Dec 1 16:55:55 2009
***************
*** 357,374 ****
* is called. If any child process calls setuid(2) we do not want any
* future processes to honor the potentially un-safe variables.
*/
if (!trust) {
unsetenv(LD_ "PRELOAD");
unsetenv(LD_ "LIBMAP");
unsetenv(LD_ "LIBRARY_PATH");
unsetenv(LD_ "LIBMAP_DISABLE");
unsetenv(LD_ "DEBUG");
}
- ld_debug = getenv(LD_ "DEBUG");
- libmap_disable = getenv(LD_ "LIBMAP_DISABLE") != NULL;
- libmap_override = getenv(LD_ "LIBMAP");
- ld_library_path = getenv(LD_ "LIBRARY_PATH");
- ld_preload = getenv(LD_ "PRELOAD");
dangerous_ld_env = libmap_disable || (libmap_override != NULL) ||
(ld_library_path != NULL) || (ld_preload != NULL);
ld_tracing = getenv(LD_ "TRACE_LOADED_OBJECTS");
--- 357,379 ----
* is called. If any child process calls setuid(2) we do not want any
* future processes to honor the potentially un-safe variables.
*/
+ ld_preload = getenv(LD_ "PRELOAD");
+ libmap_override = getenv(LD_ "LIBMAP");
+ ld_library_path = getenv(LD_ "LIBRARY_PATH");
+ libmap_disable = getenv(LD_ "LIBMAP_DISABLE") != NULL;
+ ld_debug = getenv(LD_ "DEBUG");
if (!trust) {
+ ld_preload = NULL;
+ libmap_override = NULL;
+ ld_library_path = NULL;
+ libmap_disable = 0;
+ ld_debug = NULL;
unsetenv(LD_ "PRELOAD");
unsetenv(LD_ "LIBMAP");
unsetenv(LD_ "LIBRARY_PATH");
unsetenv(LD_ "LIBMAP_DISABLE");
unsetenv(LD_ "DEBUG");
}
dangerous_ld_env = libmap_disable || (libmap_override != NULL) ||
(ld_library_path != NULL) || (ld_preload != NULL);
ld_tracing = getenv(LD_ "TRACE_LOADED_OBJECTS");
Good evening. Tue, Dec 01, 2009 at 05:09:57PM +0300, Vasim Valejev wrote:> I've used that patch to close the hole. This patch is temporary and > doesn't fix real trouble maker - problem in new version in getenv()If you're talking about rtld-elf local root, then the real issue is that return values of unsetenv() are not checked and unsetenv() could fail, thus leaving LD_PRELOAD and friends left unmodified.> (after 6.3 it got changed to something monstrous and non-working right > if environment has only one variable),Sorry, what do you mean by this? Does the attached script print 'VAR variable' for you as it does for me on 8.0-BETA2 (and undoubtly, on 8.0)? If yes then getenv() works properly with a single environment variable. Perhaps you meant something else? -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #