Carlos O'Donell - Re: Missing security fix in elf/dl-open.c? (original) (raw)
This is the mail archive of the libc-alpha@sourceware.orgmailing list for the glibc project.
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
| Other format: | [Raw text] |
- From: "Carlos O'Donell"
- To: Florian Weimer , GNU C Library
- Date: Fri, 27 Feb 2015 00:07:50 -0500
- Subject: Re: Missing security fix in elf/dl-open.c?
- Authentication-results: sourceware.org; auth=none
- References: <54ECB0B4 dot 1030602 at redhat dot com>
On 02/24/2015 12:11 PM, Florian Weimer wrote:
Some downstreams include this hunk in their patches related to CVE-2010-3847 and CVE-2011-0536:
Index: glibc-2.12-2-gc4ccff1/elf/dl-object.c
--- glibc-2.12-2-gc4ccff1.orig/elf/dl-object.c +++ glibc-2.12-2-gc4ccff1/elf/dl-object.c @@ -214,6 +214,9 @@ _dl_new_object (char *realname, const ch out: new->l_origin = origin; }
- else if (INTUSE(__libc_enable_secure) && type == lt_executable)
- /* The origin of a privileged program cannot be trusted. */
- new->l_origin = (char *) -1;
return new; }
I can't find this in glibc master. Is the hunk above needed, or is it just hardening?
Seems like additional hardening to me, and it could break real applications.
c.
- Follow-Ups:
- Re: Missing security fix in elf/dl-open.c?
* From: Florian Weimer
- Re: Missing security fix in elf/dl-open.c?
- References:
- Missing security fix in elf/dl-open.c?
* From: Florian Weimer
- Missing security fix in elf/dl-open.c?
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |