26 Jan
2016
26 Jan
'16
5:12 p.m.
$ORIGIN expansion in search_for_named_library() wrongly
takes into account all bits of rflags.
Signed-off-by: Leonid Lisovskiy <lly.dev(a)gmail.com>
---
ldso/ldso/dl-elf.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ldso/ldso/dl-elf.c b/ldso/ldso/dl-elf.c
index 01b29da..5b8572a 100644
--- a/ldso/ldso/dl-elf.c
+++ b/ldso/ldso/dl-elf.c
@@ -162,7 +162,9 @@ search_for_named_library(const char *name, unsigned rflags, const char
*path_lis
if (plen >= 7 && _dl_memcmp(p, "$ORIGIN", 7) == 0) {
int olen;
- if (rflags && plen != 7)
+ /* $ORIGIN is not expanded for SUID/GUID programs
+ (except if it is $ORIGIN alone) */
+ if ((rflags & DL_RESOLVE_SECURE) && plen != 7)
continue;
if (origin == NULL)
continue;
--
1.8.5.6