Techly NewsGet the app

Get the latest tech news

Ldd(1) and Untrusted Binaries (2023)


While diagnosing a non-determinism Bazel issue at work, I had to compare the dynamic libraries used by two builds of the same binary. To do so, I used ldd(1) and I had to refer to its manual page to understand details of the output I had never paid attention to before. What I saw will surprise you: ldd can end up running the binary given to it, thus making it unsafe against untrusted binaries. Read on for the history I could find around this issue and what alternatives you have.

I quickly posted this on Twitter and Mastodon, and the higher-than-usual engagement made me think that many more people than I weren’t aware of this behavior… so I had to investigate a bit more. Even though upstream did not agree to the security vulnerability report, various people thought there was a real problem, so some Linux distributions did patch ldd to not execute binaries directly. I do not have access to an old-enough unpatched Linux system to verify this surprising behavior, but there is a trivial repro in the “ldd can execute an app unexpectedly” email thread along with a simple fix.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Ldd(1

Ldd(1

Photo of Untrusted Binaries

Untrusted Binaries

« YouTube blocks videos from Adele, Green Day, Bob Dylan, others in dispute with SESAC
Are Your Phone's 5G Icon and Signal Bars Lying to You? »