[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] glibc bugs

To: linux-security
Subject: [linux-security] glibc bugs
From: Martin Siegert <siegert@sfu.ca>
Date: Fri, 19 Jan 2001 17:49:20 -0800
User-Agent: Mutt/1.2i

Topics
======
Two problems in glibc:
1. LD_PRELOAD environment variable allows reading and writing of files
   without permission.
2. The RESOLV_HOST_CONF environment variable in glibc versions 2.1.9x and
   later can be used to read privileged files.

Problem Description
===================
There are two problems in glibc:
1. Usually SUID/SGID applications preloads libraries only, if they have the
   SUID bit set. However, if a library has been found in /etc/ld.so.cache,
   this check was not performed.  As a result, a malicious user could preload
   some /lib or /usr/lib library before starting a SUID/SGID application
   and create or overwrite a file he did not have permissions to.
   All versions of glibc seem to be vulnerable.
2. glibc-2.2 contains a local vulnerability that affects all setuid root
   binaries.  Any user on affected systems will be able to read any file on
   the system through a simple process:  The user sets the RESOLV_HOST_CONF
   environment variable to the name of the file that they wish to read, then
   runs any setuid root program that makes use of that variable.  The file is
   then written to stderr.

Affected Systems
================
Problem 1: All (?) Linux distributions
           (upto now only RedHat and Mandrake have released advisories)
Problem 2: distributions with glibc versions 2.1.9x and later.

Solution
========
Note: for a glibc update it is probably a good idea to switch to single
user mode first, i.e.,
# /sbin/init 1
<update glibc>
# /sbin/init 5  (or /sbin/init 3 if you are not running X)

RedHat 6.x
rpm -Fvh glibc-2.1.3-22.i386.rpm glibc-devel-2.1.3-22.i386.rpm glibc-profile-2.1.3-22.i386.rpm nscd-2.1.3-22.i386.rpm

RedHat 7.0 i386
rpm -Fvh glibc-2.2-12.i386.rpm glibc-common-2.2-12.i386.rpm glibc-devel-2.2-12.i386.rpm glibc-profile-2.2-12.i386.rpm nscd-2.2-12.i386.rpm

RedHat 7.0 i686
rpm -Fvh glibc-2.2-12.i686.rpm glibc-common-2.2-12.i386.rpm glibc-devel-2.2-12.i386.rpm glibc-profile-2.2-12.i386.rpm nscd-2.2-12.i386.rpm

Mandrake 6.x, 7.0
rpm -Fvh glibc-2.1.3-18.2mdk.i586.rpm glibc-devel-2.1.3-18.2mdk.i586.rpm glibc-profile-2.1.3-18.2mdk.i586.rpm

Mandrake 7.1
rpm -Fvh glibc-2.1.3-18.1mdk.i586.rpm glibc-devel-2.1.3-18.1mdk.i586.rpm glibc-profile-2.1.3-18.1mdk.i586.rpm

Mandrake 7.2
rpm -Fvh glibc-2.1.3-18.3mdk.i586.rpm glibc-devel-2.1.3-18.3mdk.i586.rpm glibc-profile-2.1.3-18.3mdk.i586.rpm

Debian
Solution for problem 1 unknown.
Problem 2: Debian 2.2 (potato) is not vulnerable because it uses glibc-2.1.3.
Debian testing and unstable (woody and sid) are vulnerable: upgrade to
version 2.2.1-1

Slackware
Upgrade to a1/glibcso.tgz, d1/glibc.tgz
a1/glibcso.tgz:
   This package contains the runtime libraries for glibc 2.2  All users
   of Slackware -current should upgrade this package.
d1/glibc.tgz:
   This is the full glibc 2.2 package, complete with headers and static
   libraries.  If you had previously installed this package, you need
   to upgrade it.
All new packages can be found in the -current branch:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/a1/glibcso.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/d1/glibc.tgz
Upgrade the packages with
   # upgradepkg <package name>.tgz

Prev by Date: [linux-security] another stunnel update for RedHat 7.0
Next by Date: [linux-security] MySQL exploit
Prev by thread: [linux-security] MySQL exploit
Next by thread: [linux-security] another stunnel update for RedHat 7.0
Index(es):
- Date
- Thread