Bug#33505: glibc dlerror() on dlopen() fails with long (22 char!) filename
Package: libc6
Version: 2.0.7.19981211-5
Severity: critical
Justification of severity: I don't know if anything else is getting
overwritten or what is happening when dlerror() is returning junk. It
could easily be overflowing an internal buffer, and hence further
investigation is necessary to deduce if this could introduce a serious
security problem into any security sensitive packages which dlopen()
a user library. Note that dlopen()ing a user library should be OK to
do in code running as root, as long as the code changes user-id before
executing code out of said library, and there could be SUID programs out
there which call dlopen() as root. Hence this potentially introduces
a security hole, if any code is written using this belief, and should be
critical until investigated (if found not to be the result of a buffer
overflow, then it is just an "important" bug, since it can make
well-written programs misbehave in a way they don't report sensible
errors on failure).
There appears to be a major bug in dlerror() or dlopen(); when I pass
dlopen() an invalid object (eg, an empty file) with a filename longer than
around 22 characters, I get the first 21 or so characters of the filename
followed by a random character out of dlerror(). The error message and the
rest of the filename are nowhere to be seen.
Verifying filename length was the problem was done by trying to open a
zero-length dll (ie, to get an error) ./blah.so, then changing it to
././././././././././././././././././blah.so, which truncated badly
and did not report an error.
David.
Reply to: