[ SOURCE: http://www.secureroot.com/security/advisories/9684959710.html ] -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: shlibs (glibc-2.0, glibc-2.1) Date: Wednesday, September 6th, 2000 12:30 MEST Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0 Vulnerability Type: local root compromise Severity (1-10): 9 SuSE default package: yes Other affected systems: all glibc based linux systems, other Un*x systems Content of this advisory: 1) security vulnerability resolved: shlibs (glibc) problem description, discussion, solution and upgrade information 2) pending vulnerabilities, temporary workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The glibc implementations in all SuSE distributions starting with SuSE-6.0 have multiple security problems where at least one of them allows any local user to gain root access to the system. a) ld-linux.so.2, the runtime linker, is supposed to clean environment variables that may influence the execution of programs ran by a suid program. Variables of that kind include LD_LIBRARY_PATH and LD_PRELOAD. These variables do not have any effect on the suid application itself since the linker ignores them. However, if the suid program executes another non-suid application without dropping privileges and without cleaning the environment, the LD_* variables would allow an attacker to execute arbitrary code as the effective uid of the calling suid program. There is currently no program in the SuSE distribution known to be susceptible to this problem. b) locale handling portions of the glibc code fails to properly check given environment settings such as the variable LANGUAGE. This could lead to arbitrary code being executed as root, depending on the permissions and ownerships of the program being used for the exploit. c) A bug in the mutex handling code in the shlibs version for SuSE-7.0 could cause multithreaded applications to hang or crash. This has also been fixed. There is only one way to temporarily circumvent the exploit: Disable all suid applications in the system. SuSE provides a updated packages for the vulnerable libraries. It is strongly recommended to upgrade to the latest version found on our ftp server as described below. The update packages remove all currently known security problems in the glibc package. Download the update packages as described below and install the package with the command `rpm -Fhv file.rpm'. The md5sum for each file is in the line below. You can verify the integrity of the rpm files using the command `rpm --checksig --nogpg file.rpm', independently from the md5 signatures below. SPECIAL INSTALL INSTRUCTIONS: Note that the complete update consists of three (3) binary rpm packages and one source rpm package per distribution and platform. libc-*.rpm contains the static libraries, libd is the package for the profiling+debugging version of the libraries. If at all possible, keep your machine calm while you perform the update. Execute the following commands after the rpm update has been applied: /sbin/ldconfig # alternatively, use SuSEconfig /sbin/init u # will restart init to make a clean shutdown # possible once needed. i386 Intel Platform: SuSE-7.0 ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/shlibs-2.1.3-154.i386.rpm 753176172ebf628c6567c70a9b950933 ftp://ftp.suse.com/pub/suse/i386/update/7.0/d1/libc-2.1.3-154.i386.rpm 0f0696fc359cdb7b13f40a52d6676f09 ftp://ftp.suse.com/pub/suse/i386/update/7.0/d2/libd-2.1.3-154.i386.rpm 4ca3268f91a9294313cf871e9f7cb8b8 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/libc-2.1.3-154.src.rpm a6af3232fe6d474d6309c68469c126ec SuSE-6.4 ftp://ftp.suse.com/pub/suse/i386/update/6.4/a1/shlibs-2.1.3-154.i386.rpm 150dcb3854b066c021c396b4a0fe25e6 ftp://ftp.suse.com/pub/suse/i386/update/6.4/d1/libc-2.1.3-154.i386.rpm 75c9aef75d6e7e4b196c21bb500d00e0 ftp://ftp.suse.com/pub/suse/i386/update/6.4/d2/libd-2.1.3-154.i386.rpm 47fff508b0b67a82356361aa23c8beae source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/libc-2.1.3-154.src.rpm bfeaa4e15ecbe1fea986b710152b5fec SuSE-6.3 ftp://ftp.suse.com/pub/suse/i386/update/6.3/a1/shlibs-2.1.2-47.i386.rpm 8e88f237414a4d8f96131b17267b4d53 ftp://ftp.suse.com/pub/suse/i386/update/6.3/d1/libc-2.1.2-47.i386.rpm 575bb0c94474add7ae02333cbb77cba0 ftp://ftp.suse.com/pub/suse/i386/update/6.3/d2/libd-2.1.2-47.i386.rpm 8728db143b6393a261aa9060d9321345 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/libc-2.1.2-47.src.rpm eea1810dceafe5e7f77b4b5137829834 SuSE-6.2 ftp://ftp.suse.com/pub/suse/i386/update/6.2/a1/shlibs-2.1.1-29.i386.rpm 78360eddc58f3897a14327d2fa214191 ftp://ftp.suse.com/pub/suse/i386/update/6.2/d1/libc-2.1.1-29.i386.rpm 456cad1d8034d40ebbf8337d1308c4de ftp://ftp.suse.com/pub/suse/i386/update/6.2/d2/libd-2.1.1-29.i386.rpm 6dccdf557c6d329b40238a1644368564 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/libc-2.1.1-29.src.rpm cec489c212826cb2dcc65a602da61da3 SuSE-6.1 ftp://ftp.suse.com/pub/suse/i386/update/6.1/a1/shlibs-2000.9.5-0.i386.rpm 7a272e7f15fd2dec69401d4c788de015 ftp://ftp.suse.com/pub/suse/i386/update/6.1/d1/libc-2000.9.5-0.i386.rpm c748944bbe8a55f69478e6ef0bda843a ftp://ftp.suse.com/pub/suse/i386/update/6.1/d2/libd-2000.9.5-0.i386.rpm 7fce2e2e41b62dc985e48ee31f6dac1c source rpm: ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/libc-2000.9.5-0.src.rpm 77fa60f5a3a10e02460bd1960b1f78f6 Please use the packages from the SuSE-6.1 directory for SuSE-6.0! Sparc Platform: SuSE-7.0: ftp://ftp.suse.com/pub/suse/sparc/update/7.0/a1/shlibs-2.1.3-154.sparc.rpm 1563171d7ee17a3048500afd4424927d ftp://ftp.suse.com/pub/suse/sparc/update/7.0/d1/libc-2.1.3-154.sparc.rpm a907fbb3e5e48664cadb6b75570e15b2 ftp://ftp.suse.com/pub/suse/sparc/update/7.0/d2/libd-2.1.3-154.sparc.rpm f60071e3a497e3af48078338b3bd6610 source rpm: ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/libc-2.1.3-154.src.rpm 690a34f9ddb6bd6edf41a07d5fba0ad4 AXP Alpha Platform: SuSE-6.4 ftp://ftp.suse.com/pub/suse/axp/update/6.4/a1/shlibs-2.1.3-154.alpha.rpm d08a782d1dc1cc406b2141727295befe ftp://ftp.suse.com/pub/suse/axp/update/6.4/d1/libc-2.1.3-154.alpha.rpm 730c9b3c98f9d243c09ce41c5c4240a5 ftp://ftp.suse.com/pub/suse/axp/update/6.4/d2/libd-2.1.3-154.alpha.rpm 0c2ba3d11a42d84f48b1ee79a15e36b2 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/libc-2.1.3-154.src.rpm a5f2a207c6f8b179bbd91cea9c96711d SuSE-6.3 ftp://ftp.suse.com/pub/suse/axp/update/6.3/a1/shlibs-2.1.2-47.alpha.rpm afc0ac7f3db066702fbd19bfaa216751 ftp://ftp.suse.com/pub/suse/axp/update/6.3/d1/libc-2.1.2-47.alpha.rpm 3530ef711231a5b378d14fe70e2971f6 ftp://ftp.suse.com/pub/suse/axp/update/6.3/d2/libd-2.1.2-47.alpha.rpm 5836a7a1557046b0c3498b7dec1ee436 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/libc-2.1.2-47.src.rpm 0100769ad09d68563a7540ba73c826d7 SuSE-6.1 ftp://ftp.suse.com/pub/suse/axp/update/6.1/a1/shlibs-2000.9.5-0.alpha.rpm 64c59dcb13069293694faf845446463e ftp://ftp.suse.com/pub/suse/axp/update/6.1/d1/libc-2000.9.5-0.alpha.rpm 2b8df961dcfb42933cdf298f9229cffd ftp://ftp.suse.com/pub/suse/axp/update/6.1/d2/libd-2000.9.5-0.alpha.rpm 75dd4bcfb0bf2cc64fe8dd5bfc4a69f0 source rpm: ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/libc-2000.9.5-0.src.rpm 11871baa8279f8c0c79f6c9d95ca531c PPC Power PC Platform: SuSE-6.4 ftp://ftp.suse.com/pub/suse/ppc/update/6.4/a1/shlibs-2.1.3-154.ppc.rpm 8565cd463e4fbbccc39aa96f1eefdc70 ftp://ftp.suse.com/pub/suse/ppc/update/6.4/d1/libc-2.1.3-154.ppc.rpm 987ed3d338fb7c42083cf6dd2057ce0b ftp://ftp.suse.com/pub/suse/ppc/update/6.4/d2/libd-2.1.3-154.ppc.rpm a212f188cf31d55c2016236d2c313cf4 source rpm: ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/libc-2.1.3-154.src.rpm 401b4f2f306a065fb04edd89cd153364 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: This section addresses currently known vulnerabilities in Linux/Unix systems that have not been resolved yet as of the release date of this advisory. - screen local root compromise. Update+advisory follows this advisory. - zope SuSE distributions before 7.0 do not contain zope as a package. An updated package for the freshly released SuSE-7.0 is on the way. - xchat A fix for the URL handler vulnerabilty is in progress and will be released within a few days. There is currently no effective and easy workaround other than removing the package by hand (`rpm -e xchat'). More information on xchat can be found in xchat's documentation directory /usr/doc/packages/xchat or /usr/share/doc/packages/xchat for SuSE-7.0. ______________________________________________________________________________ 3) standard appendix: SuSE runs two security mailing lists to which any interested party may subscribe: suse-security@suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to . suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to . For general information or the frequently asked questions (faq) send mail to: or respectively. =============================================== SuSE's security contact is . =============================================== Regards, Roman Drahtmüller. - - -- - - | Roman Drahtmüller // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - - ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. SuSE GmbH makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048/3D25D3D9 1999/03/06 SuSE Security Team - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12Cg== =pIeS - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBObYa53ey5gA9JdPZAQHOcwf/Xwz2AsyelEXHA9KA+9/b5ZpEPu0hnySF KjADn6wLGDGdUBb70IszsIWbxg5XUXkQ4rjmHgE2IXmZG+euD+KW7Y9QPNTGpt5/ JD9lQAaqlqSOFr6/CuD44ZaU/hUGELeMIyG0YDCG27zQwWGigjJwdeyuDeqif0+M MGDnBqW+GS/LXaLd7Yb4QIocFDKzYFHqGPbYIP3vEAkTpT/gBV6C51E7NBDE8Bwm 3k8PvrHIoq/ovlUEqMbeEETskjMuGQfkUPHfVDV0um96RpsdKEHQIBdCfeMBTe5P ZL/aLeMwDdN6kKNAeouKDszWz453uXuWo0h8cZCJG2/Z1bNtoEi9Aw== =iM4f -----END PGP SIGNATURE-----