Re: ldd can execute an app unexpectedly

[Steve Grubb <sgrubb () redhat com>]

On Monday, March 07, 2011 07:00:11 pm Dmitry V. Levin wrote:
> On Mon, Mar 07, 2011 at 06:27:05PM -0500, Steve Grubb wrote:
> [...]
>
> >  http://reverse.lostrealm.com/protect/ldd.html
> >  http://www.catonmat.net/blog/ldd-arbitrary-code-execution/
> >
> > Besides telling everyone don't do that. ldd could take the PoV that it
> > should only call runtime linkers in trusted directories like /sbin or
> > /usr/sbin. Or it could simply detect that another linker was requested
> > and make you add a "--force" so that you are fully aware that you just
> > let another linker run. (The suggested patch can certainly be improved.
> > But its here just in case you want it.)
>
> In June of 2002, I suggested to change ldd to avoid invoking programs
> directly, even when it seems like that would work, and invoke the dynamic
> linker as a program instead.
> This change was implemented at least in Owl and ALT Linux:
> http://cvsweb.openwall.com/cgi/cvsweb.cgi/~checkout~/Owl/packages/glibc/gli
> bc-2.3.6-owl-alt-ldd.diff
> http://git.altlinux.org/gears/g/glibc.git?p=glibc.git;a=commitdiff;h=78857
> 7027d2950e9508a434475e04c3af864d169

To be clear, I in no way want credit for this. Its been known for a long time. But if 
requirements have been loosened for CVEs, this is something people want to know about 
and probably patch. I strongly believe that it should be fixed.

Any other skeletons in the closet that never got a CVE?

-Steve