LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 21st, 2014
Linux Security Week: April 7th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
RedHat: UPDATE: glibc vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
RedHat Linux Several bugs were discovered in glibc which could allow local users togain root privileges.
---------------------------------------------------------------------
                   Red Hat, Inc. Security Advisory

Synopsis:          glibc vulnerabilities in ld.so, locale and gettext
Advisory ID:       RHSA-2000:057-04
Issue date:        2000-09-01
Updated on:        2000-09-07
Product:           Red Hat Linux
Keywords:          glibc ld.so locale LANG gettext LD_PRELOAD threads
Cross references:  N/A
---------------------------------------------------------------------

1. Topic:

Several bugs were discovered in glibc which could allow local users to
gain root privileges.

2. Relevant releases/architectures:

Red Hat Linux 5.0 - i386, alpha
Red Hat Linux 5.1 - i386, alpha, sparc
Red Hat Linux 5.2 - i386, alpha, sparc
Red Hat Linux 6.0 - i386, alpha, sparc
Red Hat Linux 6.1 - i386, alpha, sparc, sparcv9
Red Hat Linux 6.2 - i386, alpha, sparc, sparcv9

3. Problem description:

The dynamic linker ld.so uses several environment variables like LD_PRELOAD
and LD_LIBRARY_PATH to load additional libraries or modify the library
search path. It is unsafe to accept arbitrary user specified values
of these variables when executing setuid applications, so ld.so handles
them specially in setuid programs and also removes them from the
environment.

One of the discovered bugs causes these variables not to be
removed from the environment under certain circumstances. This does not
cause any threat to setuid application themselves, but it could be
exploited if a setuid application does not either drop privileges or clean
up its environment prior to executing other programs.

A number of additional bugs have been found in glibc locale and
internationalization security checks. In internationalized programs, users
are permitted to select a locale or choose message catalogues using
environment variables such as LANG or LC_*. The content of these variables
is then used as part of pathnames for searching message catalogues or
locale files.

Normally, if these variables contain "/" characters, a program can load the
internationalization files from arbitrary directories. This is
unnacceptable for setuid programs, which is why glibc does not allow
certain settings of these variables if the program is setuid or setgid.
However, some of these checks were done in inappropriate places, contained
bugs or were completely missing. It is highly probable that some of these
bugs can be used for local root exploits.

The Red Hat Linux 6.x updates also fix a linuxthreads deadlock bug and
handling of certain values of the TZ environment variable.

The previous version of the 6.x errata introduced some threading problems
visible with JDK and Mozilla, the 5.x errata had a bug which caused several
localized programs to die with segmentation fault at startup.Both of these
problems are fixed with this errata update.

4. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

5. Bug IDs fixed  (http://bugzilla.Red Hat.com/bugzilla for more info):

13785 - Bug in pthreads blocks ability to preempt suspend and resume threads on SMP machines
17203 - glibc-2.1.3-19 breaks Sun and IBM Java 1.3 on SMP
17187 - tcsh broken after glibc upgrade


6. RPMs required:

Red Hat Linux 5.2:

sparc: 
ftp://updates.Red Hat.com/5.2/sparc/glibc-2.0.7-29.4.sparc.rpm 
ftp://updates.Red Hat.com/5.2/sparc/glibc-debug-2.0.7-29.4.sparc.rpm 
ftp://updates.Red Hat.com/5.2/sparc/glibc-devel-2.0.7-29.4.sparc.rpm 
ftp://updates.Red Hat.com/5.2/sparc/glibc-profile-2.0.7-29.4.sparc.rpm

alpha: 
ftp://updates.Red Hat.com/5.2/alpha/glibc-2.0.7-29.4.alpha.rpm 
ftp://updates.Red Hat.com/5.2/alpha/glibc-debug-2.0.7-29.4.alpha.rpm 
ftp://updates.Red Hat.com/5.2/alpha/glibc-devel-2.0.7-29.4.alpha.rpm 
ftp://updates.Red Hat.com/5.2/alpha/glibc-profile-2.0.7-29.4.alpha.rpm

i386: 
ftp://updates.Red Hat.com/5.2/i386/glibc-2.0.7-29.4.i386.rpm 
ftp://updates.Red Hat.com/5.2/i386/glibc-debug-2.0.7-29.4.i386.rpm 
ftp://updates.Red Hat.com/5.2/i386/glibc-devel-2.0.7-29.4.i386.rpm 
ftp://updates.Red Hat.com/5.2/i386/glibc-profile-2.0.7-29.4.i386.rpm

sources: 
ftp://updates.Red Hat.com/5.2/SRPMS/glibc-2.0.7-29.4.src.rpm

Red Hat Linux 6.2:

sparc: 
ftp://updates.Red Hat.com/6.2/sparc/glibc-2.1.3-21.sparc.rpm 
ftp://updates.Red Hat.com/6.2/sparc/glibc-devel-2.1.3-21.sparc.rpm 
ftp://updates.Red Hat.com/6.2/sparc/glibc-profile-2.1.3-21.sparc.rpm 
ftp://updates.Red Hat.com/6.2/sparc/nscd-2.1.3-21.sparc.rpm

i386: 
ftp://updates.Red Hat.com/6.2/i386/glibc-2.1.3-21.i386.rpm 
ftp://updates.Red Hat.com/6.2/i386/glibc-devel-2.1.3-21.i386.rpm 
ftp://updates.Red Hat.com/6.2/i386/glibc-profile-2.1.3-21.i386.rpm 
ftp://updates.Red Hat.com/6.2/i386/nscd-2.1.3-21.i386.rpm

alpha: 
ftp://updates.Red Hat.com/6.2/alpha/glibc-2.1.3-21.alpha.rpm 
ftp://updates.Red Hat.com/6.2/alpha/glibc-devel-2.1.3-21.alpha.rpm 
ftp://updates.Red Hat.com/6.2/alpha/glibc-profile-2.1.3-21.alpha.rpm 
ftp://updates.Red Hat.com/6.2/alpha/nscd-2.1.3-21.alpha.rpm

sparcv9: 
ftp://updates.Red Hat.com/6.2/sparcv9/glibc-2.1.3-21.sparcv9.rpm

sources: 
ftp://updates.Red Hat.com/6.2/SRPMS/glibc-2.1.3-21.src.rpm

7. Verification:

MD5 sum                           Package Name
--------------------------------------------------------------------------
d89ceb98bcbcf4713d16fdee7ff7f43e  5.2/SRPMS/glibc-2.0.7-29.4.src.rpm
6ef2b922267041c5d255929bfc98fd64  5.2/alpha/glibc-2.0.7-29.4.alpha.rpm
888f00bface573ffd88e221c6b6f8e2e  5.2/alpha/glibc-debug-2.0.7-29.4.alpha.rpm
ebc93b3ee1f685d50a94dcdb28c61cc9  5.2/alpha/glibc-devel-2.0.7-29.4.alpha.rpm
e41785070075562b0481df36478d2fc8  5.2/alpha/glibc-profile-2.0.7-29.4.alpha.rpm
2f2113f874194aa3ecc618c4d1ec35aa  5.2/i386/glibc-2.0.7-29.4.i386.rpm
078735dd7907a1ed391018f8768f08a5  5.2/i386/glibc-debug-2.0.7-29.4.i386.rpm
752e9f9c3ebd3a91eb4ee399cc679186  5.2/i386/glibc-devel-2.0.7-29.4.i386.rpm
1ebdf4fdb6f479e735cf8d9b0190e467  5.2/i386/glibc-profile-2.0.7-29.4.i386.rpm
f26d7fada3d250389144b235bf1f3627  5.2/sparc/glibc-2.0.7-29.4.sparc.rpm
92f25cc1809d1c87981184848ebc2c92  5.2/sparc/glibc-debug-2.0.7-29.4.sparc.rpm
bde3f83247f4975f50a552bdfe1cfe92  5.2/sparc/glibc-devel-2.0.7-29.4.sparc.rpm
7d466b8c454556801502a5193aa90919  5.2/sparc/glibc-profile-2.0.7-29.4.sparc.rpm
951f8018ee585cbae936f5aabc93975a  6.2/SRPMS/glibc-2.1.3-21.src.rpm
71fc519a3af0c780f04957d0fd30e3ef  6.2/alpha/glibc-2.1.3-21.alpha.rpm
0958d288b68b69172e05c818dadde1df  6.2/alpha/glibc-devel-2.1.3-21.alpha.rpm
c3f263f06115287996cf835bda6d831c  6.2/alpha/glibc-profile-2.1.3-21.alpha.rpm
628f153cf8159b150cdf5812ecf8a7f1  6.2/alpha/nscd-2.1.3-21.alpha.rpm
2197ca4a7bce75b8f71e776198ea6ad6  6.2/i386/glibc-2.1.3-21.i386.rpm
b8cfd8011077f35ae63f589c494166f2  6.2/i386/glibc-devel-2.1.3-21.i386.rpm
bed9b0d02fae36d490d3025de74b5e0f  6.2/i386/glibc-profile-2.1.3-21.i386.rpm
26b9ce91af840a7928ac52a32b5fe2c7  6.2/i386/nscd-2.1.3-21.i386.rpm
e2d13625c1869c983a917f6867bc351b  6.2/sparc/glibc-2.1.3-21.sparc.rpm
44d151c0f2e99dd6ed69274c1b2b106e  6.2/sparc/glibc-devel-2.1.3-21.sparc.rpm
bef08ed72e52b149da48421369561100  6.2/sparc/glibc-profile-2.1.3-21.sparc.rpm
8f5ee1e544b50f84f71eb2c38e1ef2fe  6.2/sparc/nscd-2.1.3-21.sparc.rpm
7fd0aefa79a7546cb944752c545c651f  6.2/sparcv9/glibc-2.1.3-21.sparcv9.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
     http://www.Red Hat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg 

8. References:
 
http://www.securityfocus.com/templates/archive.pike?threads=0&start=2000-08-27&mid=79537&fromthread=1&list=1&end=2000-09-02&


Copyright(c) 2000 Red Hat, Inc.
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Fixing OpenSSL's Heartbleed flaw will take MONTHS, warns Secunia
Even the most secure cloud storage may not be so secure, study finds
Targeted Attack Uses Heartbleed to Hijack VPN Sessions
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.