Bug#720735: initramfs-tools: mkinitramfs uses ldd, which is insecure and generates core dumps

To: Vincent Lefevre <vincent@vinc17.net>, 720735@bugs.debian.org
Subject: Bug#720735: initramfs-tools: mkinitramfs uses ldd, which is insecure and generates core dumps
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 25 Aug 2013 00:47:36 +0100
Message-id: <[🔎] 1377388056.2586.52.camel@deadeye.wl.decadent.org.uk>
Reply-to: Ben Hutchings <ben@decadent.org.uk>, 720735@bugs.debian.org
In-reply-to: <[🔎] 20130824223753.GA27577@xvii.vinc17.org>
References: <[🔎] 20130824223753.GA27577@xvii.vinc17.org>

Control: tag -1 - security

On Sun, 2013-08-25 at 00:37 +0200, Vincent Lefevre wrote:
> Package: initramfs-tools
> Version: 0.113
> Severity: important
> Tags: security
> 
> I've noticed that when running update-initramfs, a core dump was
> generated in the current directory, which is in itself a first bug.
> 
> After looking at this problem with strace, I saw that this came from:
> 
>   /usr/bin/ldd /lib/firmware/cis/PCMLM28.cis
> 
> apparently via mkinitramfs. The strace output shows:
> 
> 23190 execve("/libx32/ld-linux-x32.so.2", ["/libx32/ld-linux-x32.so.2"], [/* 115 vars */]) = 0
> 23190 syscall_1073741836(0, 0, 0x4000000c, 0xbfebfbff, 0x37f, 0x64, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000) = -1 (errno 38)
> 23190 syscall_1073742340(0x2, 0xfffbaa70, 0x1, 0xbfebfbff, 0xf77b0a3e, 0xf776d8cc, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d) = -1 (errno 38)
> 23190 syscall_1073742055(0x7f, 0x4000003c, 0x7f, 0xbfebfbff, 0x400000e7, 0xf776d8cc, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7) = -1 (errno 38)
> 23190 syscall_1073741884(0x7f, 0x4000003c, 0x7f, 0xbfebfbff, 0x400000e7, 0xf776d8cc, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7) = -1 (errno 38)
> 23190 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
> 
> I wonder whether it may be a security bug. /libx32 is not necessarily
> a standard directory, and could for instance be NFS mounted,
[...]

What?  It belongs to glibc;

$ dpkg -S /libx32
libc6-x32: /libx32

Ben.

-- 
Ben Hutchings
Never put off till tomorrow what you can avoid all together.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#720735: initramfs-tools: mkinitramfs uses ldd, which is insecure and generates core dumps
  - From: Vincent Lefevre <vincent@vinc17.net>

References:
- Bug#720735: initramfs-tools: mkinitramfs uses ldd, which is insecure and generates core dumps
  - From: Vincent Lefevre <vincent@vinc17.net>

Prev by Date: Processed: Re: Bug#720735: initramfs-tools: mkinitramfs uses ldd, which is insecure and generates core dumps
Next by Date: Bug#720739: linux-image-3.10-2-amd64: autonomy loss with kernl 3.10
Previous by thread: Processed: Re: Bug#720735: initramfs-tools: mkinitramfs uses ldd, which is insecure and generates core dumps
Next by thread: Bug#720735: initramfs-tools: mkinitramfs uses ldd, which is insecure and generates core dumps
Index(es):
- Date
- Thread