Bug#272210: marked as done (libc6: LD_DEBUG should be ignored for suid/sgid binaries)
Your message dated Wed, 26 Jan 2005 23:46:10 +0900
with message-id <81651kp7t9.wl@omega.webmasters.gr.jp>
and subject line Bug#272210: libc6: LD_DEBUG should be ignored for suid/sgid binaries
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 18 Sep 2004 11:20:15 +0000
>From Ulf.Harnhammar.9485@student.uu.se Sat Sep 18 04:20:15 2004
Return-path: <Ulf.Harnhammar.9485@student.uu.se>
Received: from limicola.its.uu.se [130.238.7.33]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1C8dGI-0004We-00; Sat, 18 Sep 2004 04:20:15 -0700
Received: by limicola.its.uu.se (Postfix, from userid 205)
id 4DBE1115802; Sat, 18 Sep 2004 13:20:12 +0200 (MSZ)
Received: from limicola.its.uu.se(127.0.0.1) by limicola.its.uu.se via virus-scan
id s2485; Sat, 18 Sep 04 13:20:08 +0200
Received: from bubo.its.uu.se (bubo3.its.UU.SE [130.238.4.189])
by limicola.its.uu.se (Postfix) with ESMTP id D71E0111022
for <submit@bugs.debian.org>; Sat, 18 Sep 2004 13:20:08 +0200 (MSZ)
Received: from bubo ([127.0.0.1] helo=localhost)
by bubo.its.uu.se with esmtp (Exim 3.35 #1 (Debian))
id 1C8dGC-0006Cq-00
for <submit@bugs.debian.org>; Sat, 18 Sep 2004 13:20:08 +0200
Received: from pc-79-48.svc.UU.SE (pc-79-48.svc.UU.SE [130.238.79.48])
by webmail.uu.se (IMP) with HTTP
for <ulha9485@localhost>; Sat, 18 Sep 2004 13:20:08 +0200
Message-ID: <1095506408.414c19e8aae86@webmail.uu.se>
Date: Sat, 18 Sep 2004 13:20:08 +0200
From: Ulf =?iso-8859-1?b?SORybmhhbW1hcg==?= <Ulf.Harnhammar.9485@student.uu.se>
To: submit@bugs.debian.org
Subject: libc6: LD_DEBUG should be ignored for suid/sgid binaries
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
User-Agent: Internet Messaging Program (IMP) 3.2.1
Content-Transfer-Encoding: quoted-printable
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.8 required=4.0 tests=BAYES_00,FROM_ENDS_IN_NUMS,
HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Subject: libc6: LD_DEBUG should be ignored for suid/sgid binaries
Package: libc6
Version: 2.3.2.ds1-16
Severity: normal
Tags: security
Hello,
I read this article in LWN about how LD_DEBUG should be ignored for
suid/sgid binaries to avoid helping people to exploit race conditions:
http://lwn.net/Articles/99137/
Sarge exhibits this problem, as you can see here:
metaur@metaur:~$ ls -al /usr/bin/passwd
-rwsr-xr-x 1 root root 26616 2004-09-08 07:13 /usr/bin/passwd
metaur@metaur:~$ LD_DEBUG=3Dall /usr/bin/passwd
6705:
6705: file=3Dlibcrypt.so.1; needed by /usr/bin/passwd
6705: find library=3Dlibcrypt.so.1; searching
6705: search cache=3D/etc/ld.so.cache
6705: trying file=3D/lib/libcrypt.so.1
6705:
6705: file=3Dlibcrypt.so.1; generating link map
6705: dynamic: 0x40026304 base: 0x40021000 size: 0x0002c55=
c
[...lots of output...]
Please consider patching this.
// Ulf Harnhammar
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-1-686
Locale: LANG=3Den_GB, LC_CTYPE=3Den_GB
Versions of packages libc6 depends on:
ii libdb1-compat 2.1.3-7 The Berkeley database routin=
es [gl
-- no debconf information
---------------------------------------
Received: (at 272210-done) by bugs.debian.org; 26 Jan 2005 14:46:13 +0000
>From gotom@debian.or.jp Wed Jan 26 06:46:12 2005
Return-path: <gotom@debian.or.jp>
Received: from omega.webmasters.gr.jp (webmasters.gr.jp) [218.44.239.78]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CtoQu-0007rI-00; Wed, 26 Jan 2005 06:46:12 -0800
Received: from omega.webmasters.gr.jp (localhost [127.0.0.1])
by webmasters.gr.jp (Postfix) with ESMTP
id 007CFDEB3B; Wed, 26 Jan 2005 23:46:10 +0900 (JST)
Date: Wed, 26 Jan 2005 23:46:10 +0900
Message-ID: <81651kp7t9.wl@omega.webmasters.gr.jp>
From: GOTO Masanori <gotom@debian.or.jp>
To: Ulf =?ISO-8859-1?Q?H=E4rnhammar?= <Ulf.Harnhammar.9485@student.uu.se>,
272210-done@bugs.debian.org
Cc: GOTO Masanori <gotom@debian.or.jp>
Subject: Re: Bug#272210: libc6: LD_DEBUG should be ignored for suid/sgid binaries
In-Reply-To: <81y8iwmvcj.wl@omega.webmasters.gr.jp>
References: <1095506408.414c19e8aae86@webmail.uu.se>
<87pt4j6pbm.wl@rhodes.gotom.jp>
<1095606750.414da1dee287d@webmail.uu.se>
<81isa2obcg.wl@omega.webmasters.gr.jp>
<1096205647.4156c54f30e55@webmail.uu.se>
<81y8iwmvcj.wl@omega.webmasters.gr.jp>
User-Agent: Wanderlust/2.9.9 (Unchained Melody) SEMI/1.14.3 (Ushinoya)
FLIM/1.14.3 (=?ISO-8859-4?Q?Unebigory=F2mae?=) APEL/10.3 Emacs/21.2
(i386-debian-linux-gnu) MULE/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya")
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Delivered-To: 272210-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
At Mon, 27 Sep 2004 09:03:24 +0900,
GOTO Masanori wrote:
> At Sun, 26 Sep 2004 15:34:07 +0200,
> Ulf H=E4rnhammar wrote:
> > As you can see, you can make a program pause for several minutes with t=
his
> > technique. I'm not quite sure where the buffering comes from, if it's P=
erl or
> > what. I suppose I should try this in some other language.
>=20
> kill -SIGSTOP can also block the setuid program. So if your logic is
> applied, an attacker can block the setuid program with a lot of kill
> -STOP trial.
>=20
> > To sum up: LD_DEBUG prints lots of output, and that allows an attacker =
to
> > perform timing critical security attacks (doing nasty things between op=
erations
> > like adding symlinks) by pausing a program at an arbitrary point. As su=
id/sgid
> > programs are the most security critical, libc6 should ignore LD_DEBUG w=
hen
> > running those.
>=20
> BTW, if pausing symlinks causes security problem, that program is
> broken without LD_DEBUG.
I think this report can be closed because (1) /proc/<pid>/maps can be
readable, (2) kill -STOP can be used for setuid apps (3) if LD_DEBUG
print debug message causes problem, then various apps which shows a
lot of message are also vulnerable. I stand for Jakub's opinion. I
close this bug. Ulf, if you still have doubt for this close, please
reopen this report attached with the sample security program to make
sure this problem.
Regards,
-- gotom
Reply to: