Date: Thu, 18 Jan 2001 14:58:19 -0700
From: Linux Mandrake Security Team
To: Linux Mandrake Security Announcements
Subject: [Security Announce] MDKSA-2001:012 - glibc update
Linux-Mandrake Security Update Advisory
Package name: glibc
Date: January 18th, 2001
Advisory ID: MDKSA-2001:012
Affected versions: 6.0, 6.1, 7.0, 7.1, 7.2, Corporate Server 1.0.1
The LD_PRELOAD variable in the GNU C Library is honoured
normally even for SUID/SGID applications (but removed afterwards
from the environment) if it does not contain '/' characters. There
is a special check which only preloads found libraries if they have
the SUID bit set. However, if a library has been found in
/etc/ld.so.cache, this check was not performed. As a result, a
malicious user could preload some library located in /lib or
/usr/lib before SUID/SGID applications and create or overwrite a
file he would not normally have permission to. As well, LD_PROFILE
output from SUID programs would go into /var/tmp, making it
vulnerable to various link attacks.
Please verify the update prior to upgrading to ensure the
integrity of the downloaded package. You can do this with the
rpm --checksig package.rpm
You can get the GPG public key of the Linux-Mandrake Security Team
If you use MandrakeUpdate, the verification of md5 checksum and GPG
signature is performed automatically for you.
Updated packages are available in the "updates/[ver]/RPMS/"
directory. For example, if you are looking for an updated RPM
package for Linux-Mandrake 7.1, look for it in "updates/7.1/RPMS/".
Updated source RPMs are available as well, but you generally do not
need to download them.
Please be aware that sometimes it takes the mirrors a few hours
to update, so if you want an immediate upgrade, please use one of
the two above-listed mirrors.
You can view other security advisories for Linux-Mandrake