|
Message-Id: <201009290708.13843.timb@nth-dimension.org.uk>
Date: Wed, 29 Sep 2010 07:08:10 +0100
From: Tim Brown <timb@...-dimension.org.uk>
To: oss-security@...ts.openwall.com
Cc: Raphael Geissert <geissert@...ian.org>
Subject: Re: RFC: changing the behaviour of ld.so(8) regarding empty items on LD_LIBRARY_PATH
On Wednesday 29 September 2010 00:42:05 Raphael Geissert wrote:
> Hi everyone,
>
> I have talked to one of the eglibc Debian maintainers about making ld.so
> ignore empty items on LD_LIBRARY_PATH instead of treating them as '.', and
> he doesn't have any objection.
>
> Although this is a behaviour change, I do not think there is any real case
> where an empty item was added in purpose (I even have yet to see one that
> uses '.'.)
> We are therefore considering making this change starting with our next
> stable release.
>
> What do the others think about it? do you think you would follow that
> change too?
>
> This change has been proposed by some people multiple times along the
> years, yet nothing has changed (not even properly discussed, I believe.)
> Has this change ever been proposed to glibc upstream? (maybe the RedHat
> people can help with this.)
>
>
> There is a similar issue with $PATH, but we have no plans for it so far
> (execvp(8) claims ":/bin:/usr/bin" is the default if $PATH is unset, in
> some setups.)
You have my vote, I proposed the very same on oss-security a couple of weeks
back (http://www.openwall.com/lists/oss-security/2010/08/29/4). I'm actually
working on a paper about exploiting the linker at the moment (seems many
people don't fully understand it), I'll be more than happy to share it when
it's complete.
Tim
--
Tim Brown
<mailto:timb@...-dimension.org.uk>
<http://www.nth-dimension.org.uk/>
Download attachment "signature.asc " of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.