Several bugs were discovered in glibc which could allow local users to
gain root privileges.
|
|
---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: glibc vulnerabilities in ld.so, locale and gettext
Advisory ID: RHSA-2000:057-01
Issue date: 2000-09-01
Updated on: 2000-09-01
Product: Red Hat Linux
Keywords: glibc ld.so locale LANG gettext LD_PRELOAD threads
Cross references: N/A
---------------------------------------------------------------------
1. Topic:
Several bugs were discovered in glibc which could allow local users to
gain root privileges.
2. Relevant releases/architectures:
Red Hat Linux 5.0 - i386, alpha
Red Hat Linux 5.1 - i386, alpha, sparc
Red Hat Linux 5.2 - i386, alpha, sparc
Red Hat Linux 6.0 - i386, alpha, sparc
Red Hat Linux 6.1 - i386, alpha, sparc, sparcv9
Red Hat Linux 6.2 - i386, alpha, sparc, sparcv9
3. Problem description:
The dynamic linker ld.so uses several environment variables like LD_PRELOAD
and LD_LIBRARY_PATH to load additional libraries or modify the library
search path. It is unsafe to accept arbitrary user specified values
of these variables when executing setuid applications, so ld.so handles
them specially in setuid programs and also removes them from the
environment.
One of the discovered bugs causes these variables not to be
removed from the environment under certain circumstances. This does not
cause any threat to setuid application themselves, but it could be
exploited if a setuid application does not either drop privileges or clean
up its environment prior to executing other programs.
A number of additional bugs have been found in glibc locale and
internationalization security checks. In internationalized programs, users
are permitted to select a locale or choose message catalogues using
environment variables such as LANG or LC_*. The content of these variables
is then used as part of pathnames for searching message catalogues or
locale files.
Normally, if these variables contain "/" characters, a program can load the
internationalization files from arbitrary directories. This is
unnacceptable for setuid programs, which is why glibc does not allow
certain settings of these variables if the program is setuid or setgid.
However, some of these checks were done in inappropriate places, contained
bugs or were completely missing. It is highly probable that some of these
bugs can be used for local root exploits.
The Red Hat Linux 6.x updates also fix a linuxthreads deadlock bug and
handling of certain values of the TZ environment variable.
4. Solution:
For each RPM for your particular architecture, run:
rpm -Fvh [filename]
where filename is the name of the RPM.
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
13785 - Bug in pthreads blocks ability to preempt suspend and resume threads on SMP machines
6. RPMs required:
Red Hat Linux 5.x:
sparc:
ftp://updates.redhat.com/5.2/sparc/glibc-2.0.7-29.2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-debug-2.0.7-29.2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-devel-2.0.7-29.2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-profile-2.0.7-29.2.sparc.rpm
alpha:
ftp://updates.redhat.com/5.2/alpha/glibc-2.0.7-29.2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-debug-2.0.7-29.2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-devel-2.0.7-29.2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-profile-2.0.7-29.2.alpha.rpm
i386:
ftp://updates.redhat.com/5.2/i386/glibc-2.0.7-29.2.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-debug-2.0.7-29.2.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-devel-2.0.7-29.2.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-profile-2.0.7-29.2.i386.rpm
sources:
ftp://updates.redhat.com/5.2/SRPMS/glibc-2.0.7-29.2.src.rpm
Red Hat Linux 6.x:
sparc:
ftp://updates.redhat.com/6.2/sparc/glibc-2.1.3-19.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/glibc-devel-2.1.3-19.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/glibc-profile-2.1.3-19.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/nscd-2.1.3-19.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/glibc-2.1.3-19.i386.rpm
ftp://updates.redhat.com/6.2/i386/glibc-devel-2.1.3-19.i386.rpm
ftp://updates.redhat.com/6.2/i386/glibc-profile-2.1.3-19.i386.rpm
ftp://updates.redhat.com/6.2/i386/nscd-2.1.3-19.i386.rpm
alpha:
ftp://updates.redhat.com/6.2/alpha/glibc-2.1.3-19.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/glibc-devel-2.1.3-19.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/glibc-profile-2.1.3-19.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/nscd-2.1.3-19.alpha.rpm
sparcv9:
ftp://updates.redhat.com/6.2/sparcv9/glibc-2.1.3-19.sparcv9.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/glibc-2.1.3-19.src.rpm
7. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
6ca1331b30257a5a34417d9e3374540a 5.2/SRPMS/glibc-2.0.7-29.2.src.rpm
ef8f379f37e9fde8f67c087db45570c2 5.2/alpha/glibc-2.0.7-29.2.alpha.rpm
0d39f139ea5b23d08b5f3241a23d0731 5.2/alpha/glibc-debug-2.0.7-29.2.alpha.rpm
81e6df8260f301f5934910451fa14786 5.2/alpha/glibc-devel-2.0.7-29.2.alpha.rpm
658f0a9982cad961ab590e6cca5f1b6a 5.2/alpha/glibc-profile-2.0.7-29.2.alpha.rpm
b9963bc927e540815df84d64ba3b94c0 5.2/i386/glibc-2.0.7-29.2.i386.rpm
fc0c7b551073a9bffb65c49dba4800f3 5.2/i386/glibc-debug-2.0.7-29.2.i386.rpm
e0795db373902c9e2ffadc0c32dbbfff 5.2/i386/glibc-devel-2.0.7-29.2.i386.rpm
1b4d3d34588b19374fe6b29c6147bbcc 5.2/i386/glibc-profile-2.0.7-29.2.i386.rpm
dc215c32131cb25628a6be096dd3e539 5.2/sparc/glibc-2.0.7-29.2.sparc.rpm
19b3c1dd1f4f63885343202ae4ddb73c 5.2/sparc/glibc-debug-2.0.7-29.2.sparc.rpm
fb1c1437e8652cf799666198785c6890 5.2/sparc/glibc-devel-2.0.7-29.2.sparc.rpm
bcd19af1741f2704f38e74e89506bb86 5.2/sparc/glibc-profile-2.0.7-29.2.sparc.rpm
ab3e9097d3b105d0011befa30b75592e 6.2/SRPMS/glibc-2.1.3-19.src.rpm
96348fca0030190f920eb3e4769494bc 6.2/alpha/glibc-2.1.3-19.alpha.rpm
aff1e8a826da615c8737d2723618939e 6.2/alpha/glibc-devel-2.1.3-19.alpha.rpm
5a10a0874d44e9cb2a22c65c11d35062 6.2/alpha/glibc-profile-2.1.3-19.alpha.rpm
9136b639e89a8b873055cf259d711576 6.2/alpha/nscd-2.1.3-19.alpha.rpm
cb42ed08fea80af2f292ae2a6e3cc0a1 6.2/i386/glibc-2.1.3-19.i386.rpm
86a4b0d01f6a2b254b109c7a8078c3df 6.2/i386/glibc-devel-2.1.3-19.i386.rpm
2e93114d8487ba44d9a8c2be74e1d160 6.2/i386/glibc-profile-2.1.3-19.i386.rpm
0b9120417f2647a22992c98987218874 6.2/i386/nscd-2.1.3-19.i386.rpm
aa96cbcabf21eefb06df8d1f7da79ed8 6.2/sparc/glibc-2.1.3-19.sparc.rpm
a7cd77d25a30d2bfe884bd2dfd66cf04 6.2/sparc/glibc-devel-2.1.3-19.sparc.rpm
6ba0b5a628b226e0cc9cc2ba8d419f84 6.2/sparc/glibc-profile-2.1.3-19.sparc.rpm
3b93647462f192058c646e841c7a804f 6.2/sparc/nscd-2.1.3-19.sparc.rpm
94e92becb2c06e0e67b2cd39c8b19b14 6.2/sparcv9/glibc-2.1.3-19.sparcv9.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg
8. References:
http://www.securityfocus.com/templates/archive.pike?threads=0&start=2000-08-27&mid=79537&fromthread=1&list=1&end=2000-09-02&
Copyright(c) 2000 Red Hat, Inc.
|