Bug#272210: marked as done (libc6: LD_DEBUG should be ignored for suid/sgid binaries)

To: GOTO Masanori <gotom@debian.or.jp>
Cc: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Subject: Bug#272210: marked as done (libc6: LD_DEBUG should be ignored for suid/sgid binaries)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 26 Jan 2005 06:48:41 -0800
Message-id: <[🔎] handler.272210.D272210.110675077330235.ackdone@bugs.debian.org>
In-reply-to: <81651kp7t9.wl@omega.webmasters.gr.jp>
References: <81651kp7t9.wl@omega.webmasters.gr.jp> <1095506408.414c19e8aae86@webmail.uu.se>

Your message dated Wed, 26 Jan 2005 23:46:10 +0900
with message-id <81651kp7t9.wl@omega.webmasters.gr.jp>
and subject line Bug#272210: libc6: LD_DEBUG should be ignored for suid/sgid binaries
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 18 Sep 2004 11:20:15 +0000
>From Ulf.Harnhammar.9485@student.uu.se Sat Sep 18 04:20:15 2004
Return-path: <Ulf.Harnhammar.9485@student.uu.se>
Received: from limicola.its.uu.se [130.238.7.33] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1C8dGI-0004We-00; Sat, 18 Sep 2004 04:20:15 -0700
Received: by limicola.its.uu.se (Postfix, from userid 205)
	id 4DBE1115802; Sat, 18 Sep 2004 13:20:12 +0200 (MSZ)
Received: from limicola.its.uu.se(127.0.0.1) by limicola.its.uu.se via virus-scan 
	id s2485; Sat, 18 Sep 04 13:20:08 +0200
Received: from bubo.its.uu.se (bubo3.its.UU.SE [130.238.4.189])
	by limicola.its.uu.se (Postfix) with ESMTP id D71E0111022
	for <submit@bugs.debian.org>; Sat, 18 Sep 2004 13:20:08 +0200 (MSZ)
Received: from bubo ([127.0.0.1] helo=localhost)
	by bubo.its.uu.se with esmtp (Exim 3.35 #1 (Debian))
	id 1C8dGC-0006Cq-00
	for <submit@bugs.debian.org>; Sat, 18 Sep 2004 13:20:08 +0200
Received: from pc-79-48.svc.UU.SE (pc-79-48.svc.UU.SE [130.238.79.48]) 
	by webmail.uu.se (IMP) with HTTP 
	for <ulha9485@localhost>; Sat, 18 Sep 2004 13:20:08 +0200
Message-ID: <1095506408.414c19e8aae86@webmail.uu.se>
Date: Sat, 18 Sep 2004 13:20:08 +0200
From: Ulf =?iso-8859-1?b?SORybmhhbW1hcg==?= <Ulf.Harnhammar.9485@student.uu.se>
To: submit@bugs.debian.org
Subject: libc6: LD_DEBUG should be ignored for suid/sgid binaries
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
User-Agent: Internet Messaging Program (IMP) 3.2.1
Content-Transfer-Encoding: quoted-printable
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.8 required=4.0 tests=BAYES_00,FROM_ENDS_IN_NUMS,
	HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Subject: libc6: LD_DEBUG should be ignored for suid/sgid binaries
Package: libc6
Version: 2.3.2.ds1-16
Severity: normal
Tags: security

Hello,

I read this article in LWN about how LD_DEBUG should be ignored for
suid/sgid binaries to avoid helping people to exploit race conditions:

http://lwn.net/Articles/99137/

Sarge exhibits this problem, as you can see here:

metaur@metaur:~$ ls -al /usr/bin/passwd
-rwsr-xr-x  1 root root 26616 2004-09-08 07:13 /usr/bin/passwd
metaur@metaur:~$ LD_DEBUG=3Dall /usr/bin/passwd
      6705:
      6705:     file=3Dlibcrypt.so.1;  needed by /usr/bin/passwd
      6705:     find library=3Dlibcrypt.so.1; searching
      6705:      search cache=3D/etc/ld.so.cache
      6705:       trying file=3D/lib/libcrypt.so.1
      6705:
      6705:     file=3Dlibcrypt.so.1;  generating link map
      6705:       dynamic: 0x40026304  base: 0x40021000   size: 0x0002c55=
c
[...lots of output...]

Please consider patching this.

// Ulf Harnhammar

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-1-686
Locale: LANG=3Den_GB, LC_CTYPE=3Den_GB

Versions of packages libc6 depends on:
ii  libdb1-compat                 2.1.3-7    The Berkeley database routin=
es [gl

-- no debconf information


---------------------------------------
Received: (at 272210-done) by bugs.debian.org; 26 Jan 2005 14:46:13 +0000
>From gotom@debian.or.jp Wed Jan 26 06:46:12 2005
Return-path: <gotom@debian.or.jp>
Received: from omega.webmasters.gr.jp (webmasters.gr.jp) [218.44.239.78] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CtoQu-0007rI-00; Wed, 26 Jan 2005 06:46:12 -0800
Received: from omega.webmasters.gr.jp (localhost [127.0.0.1])
	by webmasters.gr.jp (Postfix) with ESMTP
	id 007CFDEB3B; Wed, 26 Jan 2005 23:46:10 +0900 (JST)
Date: Wed, 26 Jan 2005 23:46:10 +0900
Message-ID: <81651kp7t9.wl@omega.webmasters.gr.jp>
From: GOTO Masanori <gotom@debian.or.jp>
To: Ulf =?ISO-8859-1?Q?H=E4rnhammar?= <Ulf.Harnhammar.9485@student.uu.se>,
	272210-done@bugs.debian.org
Cc: GOTO Masanori <gotom@debian.or.jp>
Subject: Re: Bug#272210: libc6: LD_DEBUG should be ignored for suid/sgid binaries
In-Reply-To: <81y8iwmvcj.wl@omega.webmasters.gr.jp>
References: <1095506408.414c19e8aae86@webmail.uu.se>
	<87pt4j6pbm.wl@rhodes.gotom.jp>
	<1095606750.414da1dee287d@webmail.uu.se>
	<81isa2obcg.wl@omega.webmasters.gr.jp>
	<1096205647.4156c54f30e55@webmail.uu.se>
	<81y8iwmvcj.wl@omega.webmasters.gr.jp>
User-Agent: Wanderlust/2.9.9 (Unchained Melody) SEMI/1.14.3 (Ushinoya)
 FLIM/1.14.3 (=?ISO-8859-4?Q?Unebigory=F2mae?=) APEL/10.3 Emacs/21.2
 (i386-debian-linux-gnu) MULE/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya")
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Delivered-To: 272210-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

At Mon, 27 Sep 2004 09:03:24 +0900,
GOTO Masanori wrote:
> At Sun, 26 Sep 2004 15:34:07 +0200,
> Ulf H=E4rnhammar wrote:
> > As you can see, you can make a program pause for several minutes with t=
his
> > technique. I'm not quite sure where the buffering comes from, if it's P=
erl or
> > what. I suppose I should try this in some other language.
>=20
> kill -SIGSTOP can also block the setuid program.  So if your logic is
> applied, an attacker can block the setuid program with a lot of kill
> -STOP trial.
>=20
> > To sum up: LD_DEBUG prints lots of output, and that allows an attacker =
to
> > perform timing critical security attacks (doing nasty things between op=
erations
> > like adding symlinks) by pausing a program at an arbitrary point. As su=
id/sgid
> > programs are the most security critical, libc6 should ignore LD_DEBUG w=
hen
> > running those.
>=20
> BTW, if pausing symlinks causes security problem, that program is
> broken without LD_DEBUG.

I think this report can be closed because (1) /proc/<pid>/maps can be
readable, (2) kill -STOP can be used for setuid apps (3) if LD_DEBUG
print debug message causes problem, then various apps which shows a
lot of message are also vulnerable.  I stand for Jakub's opinion.  I
close this bug.  Ulf, if you still have doubt for this close, please
reopen this report attached with the sample security program to make
sure this problem.

Regards,
-- gotom

Reply to:

Prev by Date: Bug#284260: glibc: wcrtomb function returns incorrect value
Next by Date: Bug#290772: fet: ftbfs [sparc] ldd: /lib/ld-linux.so.2 exited with unknown exit code (132)
Previous by thread: Processed: Re: Bug#284260: glibc: wcrtomb function returns incorrect value
Next by thread: Bug#290772: fet: ftbfs [sparc] ldd: /lib/ld-linux.so.2 exited with unknown exit code (132)
Index(es):
- Date
- Thread