From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 19 Jun 2017 17:09:55 +0200
Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
 programs [BZ #21624]

LD_LIBRARY_PATH can only be used to reorder system search paths, which
is not useful functionality.

This makes an exploitable unbounded alloca in _dl_init_paths unreachable
for AT_SECURE=1 programs.

patch from:
https://sourceware.org/git/?p=glibc.git;a=commit;h=f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d
---
 ChangeLog  | 7 +++++++
 elf/rtld.c | 3 ++-
 2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/elf/rtld.c b/elf/rtld.c
index 2446a87..2269dbe 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep)
 
 	case 12:
 	  /* The library search path.  */
-	  if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "LIBRARY_PATH", 12) == 0)
 	    {
 	      library_path = &envline[13];
 	      break;
-- 
2.9.3

href='/guix/refs/?id=c0c652e01536ddea57e11dc54f58109738d135ad'>refs</a><a class='active' href='/guix/log/tests/cran.scm'>log</a><a href='/guix/tree/tests/cran.scm?id=c0c652e01536ddea57e11dc54f58109738d135ad'>tree</a><a href='/guix/commit/tests/cran.scm?id=c0c652e01536ddea57e11dc54f58109738d135ad'>commit</a><a href='/guix/diff/tests/cran.scm?id=c0c652e01536ddea57e11dc54f58109738d135ad'>diff</a></td><td class='form'><form class='right' method='get' action='/guix/log/tests/cran.scm'>
<input type='hidden' name='id' value='c0c652e01536ddea57e11dc54f58109738d135ad'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=c0c652e01536ddea57e11dc54f58109738d135ad'>root</a>/<a href='/guix/log/tests?id=c0c652e01536ddea57e11dc54f58109738d135ad'>tests</a>/<a href='/guix/log/tests/cran.scm?id=c0c652e01536ddea57e11dc54f58109738d135ad'>cran.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/tests/cran.scm?id=c0c652e01536ddea57e11dc54f58109738d135ad&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2020-01-16 23:14:05 +0100'>2020-01-16</span></td><td><a href='/guix/commit/tests/cran.scm?id=cfd1ed84013df85f0e473884ef4038b4bd7120d4'>import: cran: Avoid uses of '@@' in the tests.</a><span class='msg-avail'>...<span class='msg-tooltip'>* guix/import/cran.scm (description-&gt;alist, description-&gt;package): Export.
&lt;top level&gt;: Set! 'listify'.
* tests/cran.scm (description-alist, "description-&gt;package"): Remove use
of '@@' to access the relevant bindings.
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2017-05-13 12:40:20 +0200'>2017-05-13</span></td><td><a href='/guix/commit/tests/cran.scm?id=db427602d8f993ee0025fa68d1af274aa8d69ab9'>import: cran: Robustify cran-package?.</a><span class='msg-avail'>...<span class='msg-tooltip'>* guix/import/cran.scm (package-&gt;upstream-name): Return #f if url
  start and end index could not be determined.
  (cran-package?): Check if the upstream-name can be extracted from
  given package.
* tests/cran.scm: Add "r-minimal is not a cran package" to make sure that
  r-minimal is not detected as a cran package.

This fixes a failure of guix refresh on r-minimal because no
upsteam-name can be determined from ".../R-version.tar.gz" uri.
</span></span></td><td>Mathieu Othacehe</td></tr>
<tr><td><span title='2017-03-08 23:42:52 +0100'>2017-03-08</span></td><td><a href='/guix/commit/tests/cran.scm?id=dd420bf3430eb644b93ca224da4c0a3f5db7a42f'>tests: Avoid zero-expression 'begin' form.</a><span class='msg-avail'>...<span class='msg-tooltip'>* tests/cran.scm ("description-&gt;package"): Add body after the expected
pattern in 'match'.
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2016-11-10 11:58:43 +0100'>2016-11-10</span></td><td><a href='/guix/commit/tests/cran.scm?id=324a2ba56c2f4c0d91567ed08024ae2c492f3b23'>tests: Adjust 'url-fetch' mocks to TLS changes.</a><span class='msg-avail'>...<span class='msg-tooltip'>This is a followup to bc3c41ce36349ed4ec758c70b48a7059e363043a.

* tests/cpan.scm ("cpan-&gt;guix-package"): Add #:verify-certificate?
parameter in 'url-fetch' mock.
* tests/cran.scm ("description-&gt;package"): Likewise.
</span></span></td><td>Ludovic Courtès</td></tr>

Age	Commit message (Expand)	Author
2020-01-16	import: cran: Avoid uses of '@@' in the tests....* guix/import/cran.scm (description->alist, description->package): Export. <top level>: Set! 'listify'. * tests/cran.scm (description-alist, "description->package"): Remove use of '@@' to access the relevant bindings.	Ludovic Courtès
2017-05-13	import: cran: Robustify cran-package?....* guix/import/cran.scm (package->upstream-name): Return #f if url start and end index could not be determined. (cran-package?): Check if the upstream-name can be extracted from given package. * tests/cran.scm: Add "r-minimal is not a cran package" to make sure that r-minimal is not detected as a cran package. This fixes a failure of guix refresh on r-minimal because no upsteam-name can be determined from ".../R-version.tar.gz" uri.	Mathieu Othacehe
2017-03-08	tests: Avoid zero-expression 'begin' form....* tests/cran.scm ("description->package"): Add body after the expected pattern in 'match'.	Ludovic Courtès
2016-11-10	tests: Adjust 'url-fetch' mocks to TLS changes....This is a followup to bc3c41ce36349ed4ec758c70b48a7059e363043a. * tests/cpan.scm ("cpan->guix-package"): Add #:verify-certificate? parameter in 'url-fetch' mock. * tests/cran.scm ("description->package"): Likewise.	Ludovic Courtès