[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : glibc local write access vulnerability

Title: glibc local write access vulnerability
Released by: RedHat
Date: 16th January 2001
Printable version: Click here
---------------------------------------------------------------------

                   Red Hat, Inc. Red Hat Security Advisory



Synopsis:          glibc local write access vulnerability

Advisory ID:       RHSA-2001:002-03

Issue date:        2001-01-15

Updated on:        2001-01-16

Product:           Red Hat Linux

Keywords:          glibc LD_PRELOAD SEGFAULT_OUTPUT_NAME

Cross references:  

Obsoletes:         

---------------------------------------------------------------------



1. Topic:



A bug in GNU C Library allows unprivileged user to preload libraries

located in /lib or /usr/lib directories into SUID programs even if those

libraries have not been marked as such by system administrator.



2. Relevant releases/architectures:



Red Hat Linux 6.0 - alpha, i386, sparc, sparcv9



Red Hat Linux 6.1 - alpha, i386, sparc, sparcv9



Red Hat Linux 6.2 - alpha, i386, sparc, sparcv9



3. Problem description:



LD_PRELOAD variable is honoured normally even for SUID/SGID applications

(but removed afterwards from environment) if it does not contain `/'

characters, but there is a special check which only preloads found

libraries if they have the SUID bit set. However, if a library has been

found

in /etc/ld.so.cache, this check was not performed.  As a result, a

malicious user

could preload some /lib or /usr/lib library before SUID/SGID application

and create or overwrite a file he did not have permissions to.

Also, LD_PROFILE output from SUID programs would go into /var/tmp,

making it vulnerable to various link attacks.



4. Solution:



For each RPM for your particular architecture, run:



rpm -Fvh [filename]



where filename is the name of the RPM.



5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):



20832 - Unknown system type Nautilus



6. RPMs required:



Red Hat Linux 6.0:



SRPMS:

http://updates.redhat.com/6.0/SRPMS/glibc-2.1.3-22.src.rpm

http://updates.redhat.com/6.0/SRPMS/glibc-2.1.3-22.src.rpm

http://updates.redhat.com/6.0/SRPMS/glibc-2.1.3-22.src.rpm



alpha:

http://updates.redhat.com/6.0/alpha/glibc-2.1.3-22.alpha.rpm

http://updates.redhat.com/6.0/alpha/glibc-devel-2.1.3-22.alpha.rpm

http://updates.redhat.com/6.0/alpha/glibc-profile-2.1.3-22.alpha.rpm

http://updates.redhat.com/6.0/alpha/nscd-2.1.3-22.alpha.rpm

http://updates.redhat.com/6.0/alpha/nscd-2.1.3-22.alpha.rpm

http://updates.redhat.com/6.0/alpha/nscd-2.1.3-22.alpha.rpm



i386:

http://updates.redhat.com/6.0/i386/glibc-2.1.3-22.i386.rpm

http://updates.redhat.com/6.0/i386/glibc-devel-2.1.3-22.i386.rpm

http://updates.redhat.com/6.0/i386/glibc-profile-2.1.3-22.i386.rpm

http://updates.redhat.com/6.0/i386/nscd-2.1.3-22.i386.rpm



sparc:

http://updates.redhat.com/6.0/sparc/glibc-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.0/sparc/glibc-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.0/sparc/glibc-devel-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.0/sparc/glibc-profile-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.0/sparc/nscd-2.1.3-22.sparc.rpm



sparcv9:

http://updates.redhat.com/6.0/sparcv9/glibc-2.1.3-22.sparcv9.rpm



Red Hat Linux 6.1:



SRPMS:

http://updates.redhat.com/6.1/SRPMS/glibc-2.1.3-22.src.rpm



alpha:

http://updates.redhat.com/6.1/alpha/glibc-2.1.3-22.alpha.rpm

http://updates.redhat.com/6.1/alpha/glibc-devel-2.1.3-22.alpha.rpm

http://updates.redhat.com/6.1/alpha/glibc-profile-2.1.3-22.alpha.rpm

http://updates.redhat.com/6.1/alpha/nscd-2.1.3-22.alpha.rpm



i386:

http://updates.redhat.com/6.1/i386/glibc-2.1.3-22.i386.rpm

http://updates.redhat.com/6.1/i386/glibc-devel-2.1.3-22.i386.rpm

http://updates.redhat.com/6.1/i386/glibc-profile-2.1.3-22.i386.rpm

http://updates.redhat.com/6.1/i386/nscd-2.1.3-22.i386.rpm

http://updates.redhat.com/6.1/i386/nscd-2.1.3-22.i386.rpm

http://updates.redhat.com/6.1/i386/nscd-2.1.3-22.i386.rpm



sparc:

http://updates.redhat.com/6.1/sparc/glibc-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.1/sparc/glibc-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.1/sparc/glibc-devel-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.1/sparc/glibc-profile-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.1/sparc/glibc-profile-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.1/sparc/glibc-profile-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.1/sparc/nscd-2.1.3-22.sparc.rpm



sparcv9:

http://updates.redhat.com/6.1/sparcv9/glibc-2.1.3-22.sparcv9.rpm



Red Hat Linux 6.2:



SRPMS:

http://updates.redhat.com/6.2/SRPMS/glibc-2.1.3-22.src.rpm



alpha:

http://updates.redhat.com/6.2/alpha/glibc-2.1.3-22.alpha.rpm

http://updates.redhat.com/6.2/alpha/glibc-devel-2.1.3-22.alpha.rpm

http://updates.redhat.com/6.2/alpha/glibc-profile-2.1.3-22.alpha.rpm

http://updates.redhat.com/6.2/alpha/nscd-2.1.3-22.alpha.rpm



i386:

http://updates.redhat.com/6.2/i386/glibc-2.1.3-22.i386.rpm

http://updates.redhat.com/6.2/i386/glibc-devel-2.1.3-22.i386.rpm

http://updates.redhat.com/6.2/i386/glibc-profile-2.1.3-22.i386.rpm

http://updates.redhat.com/6.2/i386/nscd-2.1.3-22.i386.rpm

http://updates.redhat.com/6.2/i386/nscd-2.1.3-22.i386.rpm

http://updates.redhat.com/6.2/i386/nscd-2.1.3-22.i386.rpm



sparc:

http://updates.redhat.com/6.2/sparc/glibc-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.2/sparc/glibc-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.2/sparc/glibc-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.2/sparc/glibc-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.2/sparc/glibc-devel-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.2/sparc/glibc-devel-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.2/sparc/glibc-devel-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.2/sparc/glibc-profile-2.1.3-22.sparc.rpm

http://updates.redhat.com/6.2/sparc/nscd-2.1.3-22.sparc.rpm



sparcv9:

http://updates.redhat.com/6.2/sparcv9/glibc-2.1.3-22.sparcv9.rpm







7. Verification:



MD5 sum                           Package Name

--------------------------------------------------------------------------

ef78f44366467486a0dac8794bc17ab9  6.2/SRPMS/glibc-2.1.3-22.src.rpm

b860e2f939f4e6517f4672361d746b38  6.2/i386/nscd-2.1.3-22.i386.rpm

e9b9b581fa4eda1a9aa2a5de8b267889  6.2/i386/glibc-profile-2.1.3-22.i386.rpm

2a779a3f6c3b87059cf40686f55dc2f6  6.2/i386/glibc-devel-2.1.3-22.i386.rpm

b841df797bf42585476f30b1ba489e30  6.2/i386/glibc-2.1.3-22.i386.rpm

e768b72385324280d62b271895261021  6.2/alpha/nscd-2.1.3-22.alpha.rpm

57040728348767ef4475ab82091a3db0  6.2/alpha/glibc-profile-2.1.3-22.alpha.rpm

e5a7cf85e50c599a51e7b9ee7d1bc78d  6.2/alpha/glibc-devel-2.1.3-22.alpha.rpm

c1edf134c6d5790ce74d7c4272ec8687  6.2/alpha/glibc-2.1.3-22.alpha.rpm

1de8f29192f62e1cc33f76d920e20a1a  6.2/sparcv9/glibc-2.1.3-22.sparcv9.rpm

966d69ca5182a97315e1f7bf5a5b7c30  6.2/sparc/nscd-2.1.3-22.sparc.rpm

a611d30013f4f98576aebb58b906c6db  6.2/sparc/glibc-profile-2.1.3-22.sparc.rpm

a305bcbf7e6f273c0c9759b622b04509  6.2/sparc/glibc-devel-2.1.3-22.sparc.rpm

74ae10e642a463b053ef531048410330  6.2/sparc/glibc-2.1.3-22.sparc.rpm

ef78f44366467486a0dac8794bc17ab9  6.1/SRPMS/glibc-2.1.3-22.src.rpm

e768b72385324280d62b271895261021  6.1/alpha/nscd-2.1.3-22.alpha.rpm

57040728348767ef4475ab82091a3db0  6.1/alpha/glibc-profile-2.1.3-22.alpha.rpm

e5a7cf85e50c599a51e7b9ee7d1bc78d  6.1/alpha/glibc-devel-2.1.3-22.alpha.rpm

c1edf134c6d5790ce74d7c4272ec8687  6.1/alpha/glibc-2.1.3-22.alpha.rpm

1de8f29192f62e1cc33f76d920e20a1a  6.1/sparcv9/glibc-2.1.3-22.sparcv9.rpm

966d69ca5182a97315e1f7bf5a5b7c30  6.1/sparc/nscd-2.1.3-22.sparc.rpm

a611d30013f4f98576aebb58b906c6db  6.1/sparc/glibc-profile-2.1.3-22.sparc.rpm

a305bcbf7e6f273c0c9759b622b04509  6.1/sparc/glibc-devel-2.1.3-22.sparc.rpm

74ae10e642a463b053ef531048410330  6.1/sparc/glibc-2.1.3-22.sparc.rpm

b860e2f939f4e6517f4672361d746b38  6.1/i386/nscd-2.1.3-22.i386.rpm

e9b9b581fa4eda1a9aa2a5de8b267889  6.1/i386/glibc-profile-2.1.3-22.i386.rpm

2a779a3f6c3b87059cf40686f55dc2f6  6.1/i386/glibc-devel-2.1.3-22.i386.rpm

b841df797bf42585476f30b1ba489e30  6.1/i386/glibc-2.1.3-22.i386.rpm

ef78f44366467486a0dac8794bc17ab9  6.0/SRPMS/glibc-2.1.3-22.src.rpm

1de8f29192f62e1cc33f76d920e20a1a  6.0/sparcv9/glibc-2.1.3-22.sparcv9.rpm

966d69ca5182a97315e1f7bf5a5b7c30  6.0/sparc/nscd-2.1.3-22.sparc.rpm

a611d30013f4f98576aebb58b906c6db  6.0/sparc/glibc-profile-2.1.3-22.sparc.rpm

a305bcbf7e6f273c0c9759b622b04509  6.0/sparc/glibc-devel-2.1.3-22.sparc.rpm

74ae10e642a463b053ef531048410330  6.0/sparc/glibc-2.1.3-22.sparc.rpm

b860e2f939f4e6517f4672361d746b38  6.0/i386/nscd-2.1.3-22.i386.rpm

e9b9b581fa4eda1a9aa2a5de8b267889  6.0/i386/glibc-profile-2.1.3-22.i386.rpm

2a779a3f6c3b87059cf40686f55dc2f6  6.0/i386/glibc-devel-2.1.3-22.i386.rpm

b841df797bf42585476f30b1ba489e30  6.0/i386/glibc-2.1.3-22.i386.rpm

e768b72385324280d62b271895261021  6.0/alpha/nscd-2.1.3-22.alpha.rpm

57040728348767ef4475ab82091a3db0  6.0/alpha/glibc-profile-2.1.3-22.alpha.rpm

e5a7cf85e50c599a51e7b9ee7d1bc78d  6.0/alpha/glibc-devel-2.1.3-22.alpha.rpm

c1edf134c6d5790ce74d7c4272ec8687  6.0/alpha/glibc-2.1.3-22.alpha.rpm



These packages are GPG signed by Red Hat, Inc. for security.  Our key

is available at:

    http://www.redhat.com/corp/contact.html



You can verify each package with the following command:

    rpm --checksig  



If you only wish to verify that each package has not been corrupted or

tampered with, examine only the md5sum with the following command:

    rpm --checksig --nogpg 



8. References:









Copyright(c) 2000, 2001 Red Hat, Inc.








(C) 1999-2000 All rights reserved.