Package: libc6
Version: 2.7-18
Severity: normal
File: /usr/bin/ldd

TLDP[1] says:

>    Beware:  do not run ldd on a program  you don’t trust.  As is
>    clearly stated in the ldd(1) manual, ldd works by (in certain
>    cases) by setting  a special  environment  variable  (for ELF
>    objects,  LD_TRACE_LOADED_OBJECTS)  and  then  executing  the
>    program. It may be possible for an untrusted program to force
>    the ldd user to run arbitrary code (instead of simply showing
>    the ldd information). So, for safety’s sake, don’t use ldd on
>    programs you don’t trust to execute.

However I haven’t found any mention of that in Debian ldd(1) manpage. Is
the warning still relevant?  The “try_trace” function defined in the ldd
script does  invoke its argument  just as  described above.  I think the
documentation should be updated either to warn the user or to state that
the Debian version  of ldd isn’t susceptible to the  problem (if that is
the case).


-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-53.el5.028stab051.1 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libc6 depends on:
ii  libgcc1                      1:4.3.2-1.1 GCC support library

libc6 recommends no packages.

Versions of packages libc6 suggests:
pn  glibc-doc                     <none>     (no description available)
pn  libc6-i686                    <none>     (no description available)
ii  locales                       2.7-10     GNU C Library: National Language (

-- debconf information:
  glibc/upgrade: true

To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact

Reply via email to