Bug#152099: marked as done ([doc] an empty directory string in LD_LIBRARY_PATH is interpreted as '.')

To: Pierre HABOUZIT <madcoder@debian.org>
Subject: Bug#152099: marked as done ([doc] an empty directory string in LD_LIBRARY_PATH is interpreted as '.')
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 06 Feb 2007 16:03:27 -0800
Message-id: <[🔎] handler.152099.D152099.117080643915348.ackdone@bugs.debian.org>
References: <20070207000035.GA31176@hades.madism.org> <20020706124544.14701.qmail@edup656.edup.tudelft.nl>

Your message dated Wed, 7 Feb 2007 01:00:35 +0100
with message-id <20070207000035.GA31176@hades.madism.org>
and subject line your mail
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: an empty directory string in LD_LIBRARY_PATH is interpreted as '.'
From: Konrad Wojas <debian@wojas.vvtp.tudelft.nl>
Date: Sat, 06 Jul 2002 14:45:44 +0200
Message-id: <20020706124544.14701.qmail@edup656.edup.tudelft.nl>

Package: libc6
Version: 2.2.5-6
Severity: grave
Tags: security
Justification: user security hole

ld-linux.so interprets an empty directory string in LD_LIBRARY_PATH as '.'

Suppose a user add this to his/her login script:

  export LD_LIBRARY_PATH=$HOME/lib:$LD_LIBRARY_PATH

(Which is not uncommon!)

If LD_LIBRARY_PATH is not defined the user will end up with 
'/home/user/lib:' as LD_LIBRARY_PATH, which to the loader
is identical to '/home/user/lib:.'

Another user could create a custom libc.so.6 with exploit code in
/tmp. The next time the user executes a command in /tmp 
/tmp/libc.so.6 is user instead of the system libc.so.6

If this user is 'root', the exploit code will be executed with root 
privileges.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux edup656 2.4.18 #1 Tue Mar 19 18:35:34 CET 2002 i686
Locale: LANG=C, LC_CTYPE=C

--- End Message ---

--- Begin Message ---

To: 152099-done@bugs.debian.org

Subject: Re: your mail

From: Pierre HABOUZIT <madcoder@debian.org>

Date: Wed, 7 Feb 2007 01:00:35 +0100

Message-id: <20070207000035.GA31176@hades.madism.org>

Mail-followup-to: 152099-done@bugs.debian.org

In-reply-to: <1042027497.24305.41.camel@mill.nexus.co.uk>

References: <1042027497.24305.41.camel@mill.nexus.co.uk>
Version: 2.3.6.ds1-10

  This is documented in ld-linux.so man page.

On Wed, Jan 08, 2003 at 12:04:57PM +0000, Philip Blundell wrote:
> tags 174521 + unreproducible
> tags 152099 - security
> severity 152099 minor
> retitle 152099 [doc] an empty directory string in LD_LIBRARY_PATH is interpreted as '.'
> thanks
> 
> 
> 
> 

-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
Attachment: pgpzU16vusrIx.pgp
Description: PGP signature

--- End Message ---

Reply to:

Prev by Date: Bug#315882: marked as done (iconv: report character number as well as byte number)
Next by Date: Bug#340898: time(2) has wrong return value
Previous by thread: Bug#315882: marked as done (iconv: report character number as well as byte number)
Next by thread: Bug#340898: time(2) has wrong return value
Index(es):
- Date
- Thread