Untrusted Search Path

Summary

"elf/dl-load.c" in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles "RPATH" and "RUNPATH" containing "$ORIGIN" for a privileged (setuid or "AT_SECURE") program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the "fillin_rpath" and "decompose_rpath" functions. This is associated with misinterpretion of an empty "RPATH/RUNPATH" token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.