Quoting GOTO Masanori <[EMAIL PROTECTED]>: > At Sat, 18 Sep 2004 13:20:08 +0200, Ulf H�rnhammar wrote: > > I read this article in LWN about how LD_DEBUG should be ignored for > > suid/sgid binaries to avoid helping people to exploit race conditions:
> Isn't "cat /proc/<pid>/maps" security critical? Well, there are two issues here - one of exposing information and one of allowing pauses and single-stepping through programs. Both /proc/<pid>/maps and LD_DEBUG allow the first issue to happen, while only LD_DEBUG allows the second (and to me the more critical one) to happen. Read the LWN article and this Bugtraq thread: http://seclists.org/lists/bugtraq/2004/Aug/0226.html > > Please consider patching this. > Where? In libc6. Both Gentoo and OpenWALL have the patch available for downloading. -- Ulf Harnhammar http://www.advogato.org/person/metaur/
