Red Hat Security Advisory: glibc vulnerabilities in ld.so, locale and gettextSep 01, 2000, 20:29 (0 Talkback[s])
Date: Fri, 1 Sep 2000 15:37 -0400
Red Hat, Inc. Security Advisory Synopsis: glibc vulnerabilities in ld.so, locale and gettext Advisory ID: RHSA-2000:057-01 Issue date: 2000-09-01 Updated on: 2000-09-01 Product: Red Hat Linux Keywords: glibc ld.so locale LANG gettext LD_PRELOAD threads Cross references: N/A
Several bugs were discovered in glibc which could allow local users to gain root privileges.
2. Relevant releases/architectures:
Red Hat Linux 5.0 - i386, alpha
3. Problem description:
The dynamic linker ld.so uses several environment variables like LD_PRELOAD and LD_LIBRARY_PATH to load additional libraries or modify the library search path. It is unsafe to accept arbitrary user specified values of these variables when executing setuid applications, so ld.so handles them specially in setuid programs and also removes them from the environment.
One of the discovered bugs causes these variables not to be removed from the environment under certain circumstances. This does not cause any threat to setuid application themselves, but it could be exploited if a setuid application does not either drop privileges or clean up its environment prior to executing other programs.
A number of additional bugs have been found in glibc locale and internationalization security checks. In internationalized programs, users are permitted to select a locale or choose message catalogues using environment variables such as LANG or LC_*. The content of these variables is then used as part of pathnames for searching message catalogues or locale files.
Normally, if these variables contain "/" characters, a program can load the internationalization files from arbitrary directories. This is unnacceptable for setuid programs, which is why glibc does not allow certain settings of these variables if the program is setuid or setgid. However, some of these checks were done in inappropriate places, contained bugs or were completely missing. It is highly probable that some of these bugs can be used for local root exploits.
The Red Hat Linux 6.x updates also fix a linuxthreads deadlock bug and handling of certain values of the TZ environment variable.
For each RPM for your particular architecture, run:
rpm -Fvh [filename]
where filename is the name of the RPM.
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
6. RPMs required:
Red Hat Linux 5.x:
Red Hat Linux 6.x:
MD5 sum Package Name
6ca1331b30257a5a34417d9e3374540a 5.2/SRPMS/glibc-2.0.7-29.2.src.rpm ef8f379f37e9fde8f67c087db45570c2 5.2/alpha/glibc-2.0.7-29.2.alpha.rpm 0d39f139ea5b23d08b5f3241a23d0731 5.2/alpha/glibc-debug-2.0.7-29.2.alpha.rpm 81e6df8260f301f5934910451fa14786 5.2/alpha/glibc-devel-2.0.7-29.2.alpha.rpm 658f0a9982cad961ab590e6cca5f1b6a 5.2/alpha/glibc-profile-2.0.7-29.2.alpha.rpm b9963bc927e540815df84d64ba3b94c0 5.2/i386/glibc-2.0.7-29.2.i386.rpm fc0c7b551073a9bffb65c49dba4800f3 5.2/i386/glibc-debug-2.0.7-29.2.i386.rpm e0795db373902c9e2ffadc0c32dbbfff 5.2/i386/glibc-devel-2.0.7-29.2.i386.rpm 1b4d3d34588b19374fe6b29c6147bbcc 5.2/i386/glibc-profile-2.0.7-29.2.i386.rpm dc215c32131cb25628a6be096dd3e539 5.2/sparc/glibc-2.0.7-29.2.sparc.rpm 19b3c1dd1f4f63885343202ae4ddb73c 5.2/sparc/glibc-debug-2.0.7-29.2.sparc.rpm fb1c1437e8652cf799666198785c6890 5.2/sparc/glibc-devel-2.0.7-29.2.sparc.rpm bcd19af1741f2704f38e74e89506bb86 5.2/sparc/glibc-profile-2.0.7-29.2.sparc.rpm ab3e9097d3b105d0011befa30b75592e 6.2/SRPMS/glibc-2.1.3-19.src.rpm 96348fca0030190f920eb3e4769494bc 6.2/alpha/glibc-2.1.3-19.alpha.rpm aff1e8a826da615c8737d2723618939e 6.2/alpha/glibc-devel-2.1.3-19.alpha.rpm 5a10a0874d44e9cb2a22c65c11d35062 6.2/alpha/glibc-profile-2.1.3-19.alpha.rpm 9136b639e89a8b873055cf259d711576 6.2/alpha/nscd-2.1.3-19.alpha.rpm cb42ed08fea80af2f292ae2a6e3cc0a1 6.2/i386/glibc-2.1.3-19.i386.rpm 86a4b0d01f6a2b254b109c7a8078c3df 6.2/i386/glibc-devel-2.1.3-19.i386.rpm 2e93114d8487ba44d9a8c2be74e1d160 6.2/i386/glibc-profile-2.1.3-19.i386.rpm 0b9120417f2647a22992c98987218874 6.2/i386/nscd-2.1.3-19.i386.rpm aa96cbcabf21eefb06df8d1f7da79ed8 6.2/sparc/glibc-2.1.3-19.sparc.rpm a7cd77d25a30d2bfe884bd2dfd66cf04 6.2/sparc/glibc-devel-2.1.3-19.sparc.rpm 6ba0b5a628b226e0cc9cc2ba8d419f84 6.2/sparc/glibc-profile-2.1.3-19.sparc.rpm 3b93647462f192058c646e841c7a804f 6.2/sparc/nscd-2.1.3-19.sparc.rpm 94e92becb2c06e0e67b2cd39c8b19b14 6.2/sparcv9/glibc-2.1.3-19.sparcv9.rpmThese packages are GPG signed by Red Hat, Inc. for security. Our key is available at:
You can verify each package with the following command:
If you only wish to verify that each package has not been
corrupted or tampered with, examine only the md5sum with the
Copyright(c) 2000 Red Hat, Inc.