[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#48544: libc6: search path for shared libraries includes current directory

Package: libc6
Version: 2.1.2-6
Severity: critical

I have marked this bug critical because it may be a catastrophic security
hole.  If the dynamic linker does not exhibit the behavior I describe below
for set-id binaries, then feel free to downgrade it.

I do not have any LD_* environment variables set, but for certain binaries
(such as perl) the dynamic linker scans the current directory and several
nonexistent subdirs of the current directory for shared libraries BEFORE it
checks /lib, /usr/lib, and the paths set in ld.so.conf.  I suspect that
this is a bug in the processor-specific library support.

Observe:

Script started on Wed Oct 27 23:27:48 1999
$ printenv
PWD=/home/zack
HZ=100
HOSTNAME=zack
PS1=\w \$
USER=zack
MACHTYPE=i486-pc-linux-gnu
MAIL=/var/spool/mail/zack
CVS_RSH=ssh
TIME=%E - %Uu, %Ss, %P - %F/%R
LANG=C
EMACS_UNIBYTE=t
LOGNAME=zack
SHLVL=2
HUSHLOGIN=FALSE
SHELL=/bin/bash
HOSTTYPE=i486
OSTYPE=linux-gnu
TERM=linux
HOME=/home/zack
PATH=/home/zack/bin:/usr/bin/mh:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games:/usr/sbin:/sbin
_=/usr/bin/printenv
$ strace -eopen perl -e 'exit 0'
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT
open("i686/mmx/libnsl.so.1", O_RDONLY)  = -1 ENOENT
open("i686/libnsl.so.1", O_RDONLY)      = -1 ENOENT
open("mmx/libnsl.so.1", O_RDONLY)       = -1 ENOENT
open("libnsl.so.1", O_RDONLY)           = -1 ENOENT
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib/libnsl.so.1", O_RDONLY)      = 3
open("i686/mmx/libdb.so.3", O_RDONLY)   = -1 ENOENT
open("i686/libdb.so.3", O_RDONLY)       = -1 ENOENT
open("mmx/libdb.so.3", O_RDONLY)        = -1 ENOENT
open("libdb.so.3", O_RDONLY)            = -1 ENOENT
open("/lib/libdb.so.3", O_RDONLY)       = 3
open("i686/mmx/libgdbm.so.1", O_RDONLY) = -1 ENOENT
open("i686/libgdbm.so.1", O_RDONLY)     = -1 ENOENT
open("mmx/libgdbm.so.1", O_RDONLY)      = -1 ENOENT
open("libgdbm.so.1", O_RDONLY)          = -1 ENOENT
open("/usr/lib/libgdbm.so.1", O_RDONLY) = 3
open("i686/mmx/libdl.so.2", O_RDONLY)   = -1 ENOENT
open("i686/libdl.so.2", O_RDONLY)       = -1 ENOENT
open("mmx/libdl.so.2", O_RDONLY)        = -1 ENOENT
open("libdl.so.2", O_RDONLY)            = -1 ENOENT
open("/lib/libdl.so.2", O_RDONLY)       = 3
open("i686/mmx/libm.so.6", O_RDONLY)    = -1 ENOENT
open("i686/libm.so.6", O_RDONLY)        = -1 ENOENT
open("mmx/libm.so.6", O_RDONLY)         = -1 ENOENT
open("libm.so.6", O_RDONLY)             = -1 ENOENT
open("/lib/libm.so.6", O_RDONLY)        = 3
open("i686/mmx/libc.so.6", O_RDONLY)    = -1 ENOENT
open("i686/libc.so.6", O_RDONLY)        = -1 ENOENT
open("mmx/libc.so.6", O_RDONLY)         = -1 ENOENT
open("libc.so.6", O_RDONLY)             = -1 ENOENT
open("/lib/libc.so.6", O_RDONLY)        = 3
open("i686/mmx/libcrypt.so.1", O_RDONLY) = -1 ENOENT
open("i686/libcrypt.so.1", O_RDONLY)    = -1 ENOENT
open("mmx/libcrypt.so.1", O_RDONLY)     = -1 ENOENT
open("libcrypt.so.1", O_RDONLY)         = -1 ENOENT
open("/lib/libcrypt.so.1", O_RDONLY)    = 3
open("/dev/null", O_RDONLY)             = 3
$ ln -s /lib/libc.so.6
$ strace -eopen perl -e 'exit 0'
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT
open("i686/mmx/libnsl.so.1", O_RDONLY)  = -1 ENOENT
open("i686/libnsl.so.1", O_RDONLY)      = -1 ENOENT
open("mmx/libnsl.so.1", O_RDONLY)       = -1 ENOENT
open("libnsl.so.1", O_RDONLY)           = -1 ENOENT
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib/libnsl.so.1", O_RDONLY)      = 3
open("i686/mmx/libdb.so.3", O_RDONLY)   = -1 ENOENT
open("i686/libdb.so.3", O_RDONLY)       = -1 ENOENT
open("mmx/libdb.so.3", O_RDONLY)        = -1 ENOENT
open("libdb.so.3", O_RDONLY)            = -1 ENOENT
open("/lib/libdb.so.3", O_RDONLY)       = 3
open("i686/mmx/libgdbm.so.1", O_RDONLY) = -1 ENOENT
open("i686/libgdbm.so.1", O_RDONLY)     = -1 ENOENT
open("mmx/libgdbm.so.1", O_RDONLY)      = -1 ENOENT
open("libgdbm.so.1", O_RDONLY)          = -1 ENOENT
open("/usr/lib/libgdbm.so.1", O_RDONLY) = 3
open("i686/mmx/libdl.so.2", O_RDONLY)   = -1 ENOENT
open("i686/libdl.so.2", O_RDONLY)       = -1 ENOENT
open("mmx/libdl.so.2", O_RDONLY)        = -1 ENOENT
open("libdl.so.2", O_RDONLY)            = -1 ENOENT
open("/lib/libdl.so.2", O_RDONLY)       = 3
open("i686/mmx/libm.so.6", O_RDONLY)    = -1 ENOENT
open("i686/libm.so.6", O_RDONLY)        = -1 ENOENT
open("mmx/libm.so.6", O_RDONLY)         = -1 ENOENT
open("libm.so.6", O_RDONLY)             = -1 ENOENT
open("/lib/libm.so.6", O_RDONLY)        = 3
open("i686/mmx/libc.so.6", O_RDONLY)    = -1 ENOENT
open("i686/libc.so.6", O_RDONLY)        = -1 ENOENT
open("mmx/libc.so.6", O_RDONLY)         = -1 ENOENT
open("libc.so.6", O_RDONLY)             = 3		***
open("i686/mmx/libcrypt.so.1", O_RDONLY) = -1 ENOENT
open("i686/libcrypt.so.1", O_RDONLY)    = -1 ENOENT
open("mmx/libcrypt.so.1", O_RDONLY)     = -1 ENOENT
open("libcrypt.so.1", O_RDONLY)         = -1 ENOENT
open("/lib/libcrypt.so.1", O_RDONLY)    = 3
open("/dev/null", O_RDONLY)             = 3
$ exit
Script done on Wed Oct 27 23:28:28 1999

Notice how in the second strace libc.so.6 is found in the current directory
(the starred line).

Note that this does not happen for simpler binaries such as /bin/true.

zw

-- System Information
Debian Release: potato
Kernel Version: Linux zack 2.2.13 #1 Tue Oct 26 10:34:48 PDT 1999 i686 unknown

Versions of the packages libc6 depends on:
ii  ldso            1.9.11-5       The Linux dynamic linker, library and utilit
Reply to: