setuid library search path: The GNU C library dynamic linker expands $ORIGIN

Users of setuid library search path please be advised of The GNU C library dynamic linker expands $ORIGIN vulnerability that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

GNU-SA-10/18/2010: The GNU C library dynamic linker expands $ORIGIN in setuid library search path

For security, the dynamic linker does not allow use of $ORIGIN substitution

sequences for set-user and set-group ID programs. For such sequences that

appear within strings specified by DT_RUNPATH dynamic array entries, the

specific search path containing the $ORIGIN sequence is ignored (though other

search paths in the same string are processed). $ORIGIN sequences within a

DT_NEEDED entry or path passed as a parameter to dlopen() are treated as

errors. The same restrictions may be applied to processes that have more than

minimal privileges on systems with installed extended security mechanisms.Read more at http://www.criticalwatch.com
 

Advertisements