[PATCH] Backport two ltdl fixes to fix CVE-2009-3736
Jakub Jelinek
jakub@redhat.com
Thu Dec 3 09:12:00 GMT 2009
Hi!
libgcj System.loadLibrary which uses lt_dlopen{,ext} under the hood
tries to open even files in the current directory. When running
a Java program from an untrusted directory (such as /tmp), someone might
put there a rogue *.la or *.so file and let libgcj dlopen it instead of
the library it was supposed to load. Additionally, while e.g. libtool.m4
in gcc 4.4/4.5 is correct, acinclude.m4 in libjava/libltdl hasn't been
regenerated and so the hardcoded search path to libraries could include
stuff like ...:hwcap:0:nosegneg:... and search hwcap/, 0/ and nosegneg/
subdirs of the current directory for *.la files and *.so libraries.
Fixed thusly, bootstrapped/regtested on {x86_64,i686,powerpc{,64}}-linux.
Ok for 4.4/4.3? The trunk I'll leave for Ralf's 2.2.6b backport instead.
2009-12-03 Jakub Jelinek <jakub@redhat.com>
* acinclude.m4: Regenerated to pick:
2007-06-22 Ralf Wildenhues <Ralf.Wildenhues@gmx.de>
* libtool.m4 (AC_LIBTOOL_SYS_DYNAMIC_LINKER) [linux]:
Ignore lines in ld.so.conf starting with 'hwcap '.
* configure: Regenerated.
2009-11-24 Peter O'Gorman <peter@pogma.com>
Backport of libltdl changes from the 2.26b release.
* ltdl.c: Backport changes.
--- libjava/libltdl/ltdl.c.jj 2008-09-05 12:57:53.000000000 +0200
+++ libjava/libltdl/ltdl.c 2009-12-02 18:19:11.000000000 +0100
@@ -2175,7 +2175,8 @@ static int trim LT_PARAMS((char *
static int try_dlopen LT_PARAMS((lt_dlhandle *handle,
const char *filename));
static int tryall_dlopen LT_PARAMS((lt_dlhandle *handle,
- const char *filename));
+ const char *filename,
+ const char * useloader));
static int unload_deplibs LT_PARAMS((lt_dlhandle handle));
static int lt_argz_insert LT_PARAMS((char **pargz,
size_t *pargz_len,
@@ -2361,9 +2362,10 @@ lt_dlexit ()
}
static int
-tryall_dlopen (handle, filename)
+tryall_dlopen (handle, filename, useloader)
lt_dlhandle *handle;
const char *filename;
+ const char *useloader;
{
lt_dlhandle cur;
lt_dlloader *loader;
@@ -2430,6 +2432,11 @@ tryall_dlopen (handle, filename)
while (loader)
{
+ if (useloader && strcmp(loader->loader_name, useloader))
+ {
+ loader = loader->next;
+ continue;
+ }
lt_user_data data = loader->dlloader_data;
cur->module = loader->module_open (data, filename);
@@ -2499,7 +2506,7 @@ tryall_dlopen_module (handle, prefix, di
error += tryall_dlopen_module (handle,
(const char *) 0, prefix, filename);
}
- else if (tryall_dlopen (handle, filename) != 0)
+ else if (tryall_dlopen (handle, filename, NULL) != 0)
{
++error;
}
@@ -2520,7 +2527,7 @@ find_module (handle, dir, libdir, dlname
/* Try to open the old library first; if it was dlpreopened,
we want the preopened version of it, even if a dlopenable
module is available. */
- if (old_name && tryall_dlopen (handle, old_name) == 0)
+ if (old_name && tryall_dlopen (handle, old_name, "dlpreload") == 0)
{
return 0;
}
@@ -2784,7 +2791,7 @@ find_handle_callback (filename, data, ig
/* Try to dlopen the file, but do not continue searching in any
case. */
- if (tryall_dlopen (handle, filename) != 0)
+ if (tryall_dlopen (handle, filename,NULL) != 0)
*handle = 0;
return 1;
@@ -3072,7 +3079,7 @@ try_dlopen (phandle, filename)
/* lt_dlclose()ing yourself is very bad! Disallow it. */
LT_DLSET_FLAG (*phandle, LT_DLRESIDENT_FLAG);
- if (tryall_dlopen (&newhandle, 0) != 0)
+ if (tryall_dlopen (&newhandle, 0, NULL) != 0)
{
LT_DLFREE (*phandle);
return 1;
@@ -3194,7 +3201,7 @@ try_dlopen (phandle, filename)
}
#endif
}
- if (!file)
+ else
{
file = fopen (filename, LT_READTEXT_MODE);
}
@@ -3378,7 +3385,7 @@ try_dlopen (phandle, filename)
#endif
)))
{
- if (tryall_dlopen (&newhandle, filename) != 0)
+ if (tryall_dlopen (&newhandle, filename, NULL) != 0)
{
newhandle = NULL;
}
--- libjava/libltdl/acinclude.m4.jj 2008-09-05 12:57:53.000000000 +0200
+++ libjava/libltdl/acinclude.m4 2009-12-02 19:47:40.000000000 +0100
@@ -1527,7 +1527,7 @@ linux*)
# Append ld.so.conf contents to the search path
if test -f /etc/ld.so.conf; then
- lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,\t]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
sys_lib_dlsearch_path_spec="/lib${libsuff} /usr/lib${libsuff} $lt_ld_extra"
fi
--- libjava/libltdl/configure.jj 2009-09-01 11:05:06.000000000 +0200
+++ libjava/libltdl/configure 2009-12-02 19:50:23.000000000 +0100
@@ -9160,7 +9160,7 @@ linux*)
# Append ld.so.conf contents to the search path
if test -f /etc/ld.so.conf; then
- lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,\t]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
sys_lib_dlsearch_path_spec="/lib${libsuff} /usr/lib${libsuff} $lt_ld_extra"
fi
@@ -12576,7 +12576,7 @@ linux*)
# Append ld.so.conf contents to the search path
if test -f /etc/ld.so.conf; then
- lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,\t]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
sys_lib_dlsearch_path_spec="/lib${libsuff} /usr/lib${libsuff} $lt_ld_extra"
fi
@@ -15489,7 +15489,7 @@ linux*)
# Append ld.so.conf contents to the search path
if test -f /etc/ld.so.conf; then
- lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,\t]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
sys_lib_dlsearch_path_spec="/lib${libsuff} /usr/lib${libsuff} $lt_ld_extra"
fi
@@ -17916,7 +17916,7 @@ linux*)
# Append ld.so.conf contents to the search path
if test -f /etc/ld.so.conf; then
- lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,\t]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+ lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
sys_lib_dlsearch_path_spec="/lib${libsuff} /usr/lib${libsuff} $lt_ld_extra"
fi
Jakub
More information about the Java-patches
mailing list