Bug#514408: /usr/bin/ldd: ldd manpage fails to mention security implications
Package: libc6
Version: 2.7-18
Severity: normal
File: /usr/bin/ldd
TLDP[1] says:
> Beware: do not run ldd on a program you don’t trust. As is
> clearly stated in the ldd(1) manual, ldd works by (in certain
> cases) by setting a special environment variable (for ELF
> objects, LD_TRACE_LOADED_OBJECTS) and then executing the
> program. It may be possible for an untrusted program to force
> the ldd user to run arbitrary code (instead of simply showing
> the ldd information). So, for safety’s sake, don’t use ldd on
> programs you don’t trust to execute.
However I haven’t found any mention of that in Debian ldd(1) manpage. Is
the warning still relevant? The “try_trace” function defined in the ldd
script does invoke its argument just as described above. I think the
documentation should be updated either to warn the user or to state that
the Debian version of ldd isn’t susceptible to the problem (if that is
the case).
[1] http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html
-- System Information:
Debian Release: 5.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-53.el5.028stab051.1 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libc6 depends on:
ii libgcc1 1:4.3.2-1.1 GCC support library
libc6 recommends no packages.
Versions of packages libc6 suggests:
pn glibc-doc <none> (no description available)
pn libc6-i686 <none> (no description available)
ii locales 2.7-10 GNU C Library: National Language (
-- debconf information:
glibc/upgrade: true
glibc/restart-failed:
glibc/restart-services:
Reply to: