[16930] in bugtraq
Re: ld.so bug - LD_DEBUG_OUTPUT follows symlinks
daemon@ATHENA.MIT.EDU (Dwayne C . Litzenberger)
Wed Sep 27 13:26:58 2000
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="pf9I7BMVVzbSWLtt"
Content-Disposition: inline
Message-ID: <20000926175214.A2815@zed.dcl>
Date: Tue, 26 Sep 2000 17:52:14 -0600
Reply-To: "Dwayne C . Litzenberger" <dlitz@CHEERFUL.COM>
From: "Dwayne C . Litzenberger" <dlitz@CHEERFUL.COM>
X-To: Jakub Vlasek <jv@PILSEDU.CZ>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10009260121020.8586-100000@kronos>; from
jv@PILSEDU.CZ on Tue, Sep 26, 2000 at 02:11:12AM +0200
--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Sep 26, 2000 at 02:11:12AM +0200, Jakub Vlasek wrote:
> Hi,
> ld.so from glibc2 doesn't unset variables LD_DEBUG_OUTPUT and LD_DEBUG
> when running suid. If program calls setuid(0) and then fork(), child
> process will follow prepared symlink ($LD_DEBUG_OUTPUT.$pid) and
> overwrites any file in system.
>=20
> Jakub Vlasek
I could not reproduce this.
When I run the suid program, LD_DEBUG still works (odd, but true), but
LD_DEBUG_OUTPUT seems to be ignored (output goes to the terminal). What
version of glibc2 were you using? (I am using Debian libc6 (a.k.a. glibc2)
version 2.1.3-10.)
--=20
Dwayne C. Litzenberger - dlitz@cheerful.com
- Please always Cc to me when replying to me on the lists.
- See the mail headers for GPG/advertising/homepage information.
--pf9I7BMVVzbSWLtt
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjnRNq4ACgkQRFb7bLw5pLA2EwCfeIFKI2uF59G6h2F7mDWcCg6I
6+AAn3BwyZKSzakzJ1maDXlK1bDWa/9N
=8RRW
-----END PGP SIGNATURE-----
--pf9I7BMVVzbSWLtt--
