I think that is the sort of conclusion upstream is coming to in https://inbox.sourceware.org/libc-alpha/20231003201151.1406279-1-siddh...@sourceware.org/T/#e9123bc53d892ab6552e05109ce939d531d741092 too. In any case, the upstream bug tracker / mailing list is probably the place to start with this.
On Thu, 5 Oct 2023 at 07:00, Christian Göttsche <cgzo...@googlemail.com> wrote: > Package: glibc > Version: 2.37-12 > > In the light of the recent privilege escalation vulnerability I'd like > to suggest disabling the support for tunables in secure mode (most > notably for setuid-binaries). > This would mitigate future regressions in the handling of the > environment variable and possible vulnerabilities caused by the > interaction of particular options with security relevant applications. > > The support could either be disabled at compile time[1] or at runtime > via a file existence check (either by reusing `/etc/suid-debug` or a > new one like `/etc/suid-tunables`). > > > [1]: > https://git.altlinux.org/gears/g/glibc.git?p=glibc.git;a=commitdiff;h=5d1686416ab766f3dd0780ab730650c4c0f76ca9 > >
