ldd: never run file directly

(cherry picked from commit eedca9772e99c72ab4c3c34e43cc764250aa3e3c)
author: Andreas Schwab <schwab@suse.de> 2017-08-28 19:49:18 +0200
committer: Florian Weimer <fweimer@redhat.com> 2017-08-28 19:49:18 +0200
commit: 6043d77a47de297b62084c1c261cdada082bf09c (patch)
tree: 1c3f6c57688b94a3e5122437444eb55d6fbdaeb2 /NEWS
parent: 77db8772bd3f6f2bbad697dcf46861ce310f5b95 (diff)
download: glibc-6043d77a47de297b62084c1c261cdada082bf09c.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 0534c5296e..756e849643 100644
--- a/NEWS
+++ b/NEWS
@@ -7,8 +7,17 @@ using `glibc' in the "product" field.
 
 Version 2.26.1
 
+Security related changes:
+
+  CVE-2009-5064: The ldd script would sometimes run the program under
+  examination directly, without preventing code execution through the
+  dynamic linker.  (The glibc project disputes that this is a security
+  vulnerability; only trusted binaries must be examined using the ldd
+  script.)
+
 The following bugs are resolved with this release:
 
+  [16750] ldd: Never run file directly.
   [21242] assert: Suppress pedantic warning caused by statement expression
   [21780] posix: Set p{read,write}v2 to return ENOTSUP
   [21871] x86-64: Use _dl_runtime_resolve_opt only with AVX512F
author	Andreas Schwab <schwab@suse.de>	2017-08-28 19:49:18 +0200
committer	Florian Weimer <fweimer@redhat.com>	2017-08-28 19:49:18 +0200
commit	6043d77a47de297b62084c1c261cdada082bf09c (patch)
tree	1c3f6c57688b94a3e5122437444eb55d6fbdaeb2 /NEWS
parent	77db8772bd3f6f2bbad697dcf46861ce310f5b95 (diff)
download	glibc-6043d77a47de297b62084c1c261cdada082bf09c.tar.gz