Package: libc6 Version: 2.7-18 Severity: normal File: /usr/bin/ldd TLDP[1] says:
> Beware: do not run ldd on a program you don’t trust. As is > clearly stated in the ldd(1) manual, ldd works by (in certain > cases) by setting a special environment variable (for ELF > objects, LD_TRACE_LOADED_OBJECTS) and then executing the > program. It may be possible for an untrusted program to force > the ldd user to run arbitrary code (instead of simply showing > the ldd information). So, for safety’s sake, don’t use ldd on > programs you don’t trust to execute. However I haven’t found any mention of that in Debian ldd(1) manpage. Is the warning still relevant? The “try_trace” function defined in the ldd script does invoke its argument just as described above. I think the documentation should be updated either to warn the user or to state that the Debian version of ldd isn’t susceptible to the problem (if that is the case). [1] http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html -- System Information: Debian Release: 5.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.18-53.el5.028stab051.1 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libc6 depends on: ii libgcc1 1:4.3.2-1.1 GCC support library libc6 recommends no packages. Versions of packages libc6 suggests: pn glibc-doc <none> (no description available) pn libc6-i686 <none> (no description available) ii locales 2.7-10 GNU C Library: National Language ( -- debconf information: glibc/upgrade: true glibc/restart-failed: glibc/restart-services: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org