about summary refs log tree commit diff
path: root/NEWS
diff options
context:
space:
mode:
authorAurelien Jarno <aurelien@aurel32.net>2017-12-30 10:54:23 +0100
committerAurelien Jarno <aurelien@aurel32.net>2017-12-30 22:01:32 +0100
commit3e3c904daef69b8bf7d5cc07f793c9f07c3553ef (patch)
tree6344d695b9615fb00180b271c69cf84cd32d0eb4 /NEWS
parentc48831d0eebf876d986919baf2d9240a79192837 (diff)
downloadglibc-3e3c904daef69b8bf7d5cc07f793c9f07c3553ef.tar.gz
glibc-3e3c904daef69b8bf7d5cc07f793c9f07c3553ef.tar.xz
glibc-3e3c904daef69b8bf7d5cc07f793c9f07c3553ef.zip
elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
The fillin_rpath function in elf/dl-load.c loops over each RPATH or
RUNPATH tokens and interprets empty tokens as the current directory
("./"). In practice the check for empty token is done *after* the
dynamic string token expansion. The expansion process can return an
empty string for the $ORIGIN token if __libc_enable_secure is set
or if the path of the binary can not be determined (/proc not mounted).

Fix that by moving the check for empty tokens before the dynamic string
token expansion. In addition, check for NULL pointer or empty strings
return by expand_dynamic_string_token.

The above changes highlighted a bug in decompose_rpath, an empty array
is represented by the first element being NULL at the fillin_rpath
level, but by using a -1 pointer in decompose_rpath and other functions.

Changelog:
	[BZ #22625]
	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
	string token expansion. Check for NULL pointer or empty string possibly
	returned by expand_dynamic_string_token.
	(decompose_rpath): Check for empty path after dynamic string
	token expansion.
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS4
1 files changed, 4 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 95f368340b..1b59e519ab 100644
--- a/NEWS
+++ b/NEWS
@@ -164,6 +164,10 @@ Security related changes:
   CVE-2017-1000366 has been applied, but it is mentioned here only because
   of the CVE assignment.)  Reported by Qualys.
 
+  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
+  for AT_SECURE or SUID binaries could be used to load libraries from the
+  current directory.
+
 The following bugs are resolved with this release:
 
   [The release manager will add the list generated by