Bug#650536: [new check] test for missing hardening build flags

To: 650536@bugs.debian.org
Subject: Bug#650536: [new check] test for missing hardening build flags
From: Jakub Wilk <jwilk@debian.org>
Date: Thu, 8 Dec 2011 11:50:19 +0100
Message-id: <[🔎] 20111208105019.GA2525@jwilk.net>
Mail-followup-to: 650536@bugs.debian.org
Reply-to: Jakub Wilk <jwilk@debian.org>, 650536@bugs.debian.org
In-reply-to: <[🔎] 20111208110637.80FDB47BB6@thykier.net>
References: <[🔎] 20111208110637.80FDB47BB6@thykier.net>

* Niels Thykier <niels@thykier.net>, 2011-12-08, 12:06:

I was informed (and have verified) that hardening-check uses "ldd(1)".Unfortunately, ldd(1) appears to be (semi-)executing the binaries it isrun on[1]. This smells like a CVE in the making,

AFAIUI, ldd in our libc is not vulnerable to arbitrary code executionsince 2.10.1-7.

The other problem with using ldd is that it won't work for binaries offoreign architecture.

so would it be possible for you to update hardening-check to usereadelf instead[2]?

Currently ldd is used to discover which libc the binaries is linked to,in order to read symbol from the libc library. But this won't work, evenwhen using readelf, for foreign architecture binaries, for the simplereason that such libc might not exist on the user's system.


--
Jakub Wilk

Reply to:

Follow-Ups:
- Bug#650536: [new check] test for missing hardening build flags
  - From: Kees Cook <kees@debian.org>

References:
- Bug#650536: [new check] test for missing hardening build flags
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: [SCM] Debian package checker branch, master, updated. 2.5.4-39-g14a9bc5
Next by Date: Bug#651332: lintian: unhelpful message if changes file not present
Previous by thread: Bug#650536: [new check] test for missing hardening build flags
Next by thread: Bug#650536: [new check] test for missing hardening build flags
Index(es):
- Date
- Thread