Developer Resources
Board support packages
Foundry27 projects
Forums
Home
Developer Resources
Technical Articles

QNX Technical Articles

QNX® Software Development Platform 6.5.0: LD_DEBUG_OUTPUT Security Vulnerability Patch (Patch ID 2324): Release Notes

QNX® Software Development Platform 6.5.0: LD_DEBUG_OUTPUT Security Vulnerability Patch (Patch ID 2324): Release Notes

Date of this edition: March 10, 2011

Target OS: This patch is compatible with targets that are running QNX® Neutrino® 6.5.0.

Host OS: In order to apply this patch, you must have installed the QNX Software Development Platform 6.5.0:

  • as a self-hosted QNX Neutrino development system
  • or on one of the following development hosts:
    • Microsoft Windows 7 Professional 32- and 64-bit, Vista Business 32- and 64-bit, XP Professional SP3, or 2000 SP4
    • Linux Red Hat Enterprise Linux 5.4 Desktop 32- and 64-bit, Red Hat Fedora 12, Ubuntu Workstation 9.10 32- and 64-bit, or openSUSE 11.2
Note: For the most up-to-date version of these notes, go to our website (www.qnx.com), log into your myQNX account, and then go to the Download area.

Contents

Throughout this document, you may see reference numbers associated with particular issues, changes, etc. When corresponding with our Technical Support staff about a given issue, please quote the relevant reference number. You might also find the reference numbers useful for tracking issues as they become fixed.

What's in this patch?

This patch updates the following files:

  • target/qnx6/armle-v7/lib/libc.so.3
  • target/qnx6/armle/lib/libc.so.3
  • target/qnx6/mipsbe/lib/libc.so.3
  • target/qnx6/mipsle/lib/libc.so.3
  • target/qnx6/ppcbe-spe/lib/libc.so.3
  • target/qnx6/ppcbe/lib/libc.so.3
  • target/qnx6/shle/lib/libc.so.3
  • target/qnx6/x86/lib/libc.so.3

Fixed issues

This patch addresses a potential security vulnerability with the LD_DEBUG_OUTPUT environment variable that could have been exploited to form a security attack. This issue was originally reported to QNX Software Systems by Tim Brown, Nth Dimension.

You can use LD_DEBUG_OUTPUT to specify the name of the file where the dynamic linker writes its output. The vulnerability occurs if you use LD_DEBUG and LD_DEBUG_OUTPUT with a setuid binary:

  • If the file specified by LD_DEBUG_OUTPUT exists, it's overwritten with the debug output, and the existing permissions are preserved.
  • If the file doesn't exist, then a new file is created, owned by root and the user, and writable by both.

This could be exploited in different ways, including creating new files in arbitrary locations. We've addressed this issue by disabling the use of LD_DEBUG_OUTPUT with setuid binaries. (Ref# 84330, 87546)

Known issues

None currently known.

Technical support

If you have any questions, comments, or problems with a QNX product, please contact Technical Support. For more information, see the How to Get Help chapter of the Welcome to the QNX Software Development Platform guide or visit our website, www.qnx.com.