Hi, On 2023-10-05 09:33, Michael Hudson-Doyle wrote: > I think that is the sort of conclusion upstream is coming to in > https://inbox.sourceware.org/libc-alpha/20231003201151.1406279-1-siddh...@sourceware.org/T/#e9123bc53d892ab6552e05109ce939d531d741092 > too. In any case, the upstream bug tracker / mailing list is probably the > place to start with this.
I fully agree with that. Let's try to not have a different behavior for each distribution by getting this done upstream. If it doesn't work we could look at doing that at the distribution level. Regards Aurelien > On Thu, 5 Oct 2023 at 07:00, Christian Göttsche <cgzo...@googlemail.com> > wrote: > > > Package: glibc > > Version: 2.37-12 > > > > In the light of the recent privilege escalation vulnerability I'd like > > to suggest disabling the support for tunables in secure mode (most > > notably for setuid-binaries). > > This would mitigate future regressions in the handling of the > > environment variable and possible vulnerabilities caused by the > > interaction of particular options with security relevant applications. > > > > The support could either be disabled at compile time[1] or at runtime > > via a file existence check (either by reusing `/etc/suid-debug` or a > > new one like `/etc/suid-tunables`). > > > > > > [1]: > > https://git.altlinux.org/gears/g/glibc.git?p=glibc.git;a=commitdiff;h=5d1686416ab766f3dd0780ab730650c4c0f76ca9 > > > > -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://aurel32.net