Your message dated Wed, 7 Feb 2007 01:00:35 +0100 with message-id <20070207000035.GA31176@hades.madism.org> and subject line your mail has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: an empty directory string in LD_LIBRARY_PATH is interpreted as '.'
- From: Konrad Wojas <debian@wojas.vvtp.tudelft.nl>
- Date: Sat, 06 Jul 2002 14:45:44 +0200
- Message-id: <20020706124544.14701.qmail@edup656.edup.tudelft.nl>
Package: libc6 Version: 2.2.5-6 Severity: grave Tags: security Justification: user security hole ld-linux.so interprets an empty directory string in LD_LIBRARY_PATH as '.' Suppose a user add this to his/her login script: export LD_LIBRARY_PATH=$HOME/lib:$LD_LIBRARY_PATH (Which is not uncommon!) If LD_LIBRARY_PATH is not defined the user will end up with '/home/user/lib:' as LD_LIBRARY_PATH, which to the loader is identical to '/home/user/lib:.' Another user could create a custom libc.so.6 with exploit code in /tmp. The next time the user executes a command in /tmp /tmp/libc.so.6 is user instead of the system libc.so.6 If this user is 'root', the exploit code will be executed with root privileges. -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux edup656 2.4.18 #1 Tue Mar 19 18:35:34 CET 2002 i686 Locale: LANG=C, LC_CTYPE=C
--- End Message ---
--- Begin Message ---
- To: 152099-done@bugs.debian.org
- Subject: Re: your mail
- From: Pierre HABOUZIT <madcoder@debian.org>
- Date: Wed, 7 Feb 2007 01:00:35 +0100
- Message-id: <20070207000035.GA31176@hades.madism.org>
- Mail-followup-to: 152099-done@bugs.debian.org
- In-reply-to: <1042027497.24305.41.camel@mill.nexus.co.uk>
- References: <1042027497.24305.41.camel@mill.nexus.co.uk>
Version: 2.3.6.ds1-10 This is documented in ld-linux.so man page. On Wed, Jan 08, 2003 at 12:04:57PM +0000, Philip Blundell wrote: > tags 174521 + unreproducible > tags 152099 - security > severity 152099 minor > retitle 152099 [doc] an empty directory string in LD_LIBRARY_PATH is interpreted as '.' > thanks > > > > -- ·O· Pierre Habouzit ··O madcoder@debian.org OOO http://www.madism.orgAttachment: pgpzU16vusrIx.pgp
Description: PGP signature
--- End Message ---