dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


Red Hat Security Advisory: glibc vulnerabilities in ld.so, locale and gettext

Sep 01, 2000, 20:29 (0 Talkback[s])

Date: Fri, 1 Sep 2000 15:37 -0400
From: bugzilla@redhat.com
To: redhat-watch-list@redhat.com
Subject: [RHSA-2000:057-02] glibc vulnerabilities in ld.so, locale and gettext


                   Red Hat, Inc. Security Advisory

Synopsis:          glibc vulnerabilities in ld.so, locale and gettext
Advisory ID:       RHSA-2000:057-01
Issue date:        2000-09-01
Updated on:        2000-09-01
Product:           Red Hat Linux
Keywords:          glibc ld.so locale LANG gettext LD_PRELOAD threads
Cross references:  N/A

1. Topic:

Several bugs were discovered in glibc which could allow local users to gain root privileges.

2. Relevant releases/architectures:

Red Hat Linux 5.0 - i386, alpha
Red Hat Linux 5.1 - i386, alpha, sparc
Red Hat Linux 5.2 - i386, alpha, sparc
Red Hat Linux 6.0 - i386, alpha, sparc
Red Hat Linux 6.1 - i386, alpha, sparc, sparcv9
Red Hat Linux 6.2 - i386, alpha, sparc, sparcv9

3. Problem description:

The dynamic linker ld.so uses several environment variables like LD_PRELOAD and LD_LIBRARY_PATH to load additional libraries or modify the library search path. It is unsafe to accept arbitrary user specified values of these variables when executing setuid applications, so ld.so handles them specially in setuid programs and also removes them from the environment.

One of the discovered bugs causes these variables not to be removed from the environment under certain circumstances. This does not cause any threat to setuid application themselves, but it could be exploited if a setuid application does not either drop privileges or clean up its environment prior to executing other programs.

A number of additional bugs have been found in glibc locale and internationalization security checks. In internationalized programs, users are permitted to select a locale or choose message catalogues using environment variables such as LANG or LC_*. The content of these variables is then used as part of pathnames for searching message catalogues or locale files.

Normally, if these variables contain "/" characters, a program can load the internationalization files from arbitrary directories. This is unnacceptable for setuid programs, which is why glibc does not allow certain settings of these variables if the program is setuid or setgid. However, some of these checks were done in inappropriate places, contained bugs or were completely missing. It is highly probable that some of these bugs can be used for local root exploits.

The Red Hat Linux 6.x updates also fix a linuxthreads deadlock bug and handling of certain values of the TZ environment variable.

4. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):


13785 - Bug in pthreads blocks ability to preempt suspend and resume threads on SMP machines

6. RPMs required:

Red Hat Linux 5.x:

sparc:
ftp://updates.redhat.com/5.2/sparc/glibc-2.0.7-29.2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-debug-2.0.7-29.2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-devel-2.0.7-29.2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-profile-2.0.7-29.2.sparc.rpm

alpha:
ftp://updates.redhat.com/5.2/alpha/glibc-2.0.7-29.2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-debug-2.0.7-29.2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-devel-2.0.7-29.2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-profile-2.0.7-29.2.alpha.rpm

i386:
ftp://updates.redhat.com/5.2/i386/glibc-2.0.7-29.2.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-debug-2.0.7-29.2.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-devel-2.0.7-29.2.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-profile-2.0.7-29.2.i386.rpm

sources:
ftp://updates.redhat.com/5.2/SRPMS/glibc-2.0.7-29.2.src.rpm

Red Hat Linux 6.x:

sparc:
ftp://updates.redhat.com/6.2/sparc/glibc-2.1.3-19.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/glibc-devel-2.1.3-19.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/glibc-profile-2.1.3-19.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/nscd-2.1.3-19.sparc.rpm

i386:
ftp://updates.redhat.com/6.2/i386/glibc-2.1.3-19.i386.rpm
ftp://updates.redhat.com/6.2/i386/glibc-devel-2.1.3-19.i386.rpm
ftp://updates.redhat.com/6.2/i386/glibc-profile-2.1.3-19.i386.rpm
ftp://updates.redhat.com/6.2/i386/nscd-2.1.3-19.i386.rpm

alpha:
ftp://updates.redhat.com/6.2/alpha/glibc-2.1.3-19.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/glibc-devel-2.1.3-19.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/glibc-profile-2.1.3-19.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/nscd-2.1.3-19.alpha.rpm

sparcv9:
ftp://updates.redhat.com/6.2/sparcv9/glibc-2.1.3-19.sparcv9.rpm

sources:
ftp://updates.redhat.com/6.2/SRPMS/glibc-2.1.3-19.src.rpm

7. Verification:

MD5 sum                           Package Name

6ca1331b30257a5a34417d9e3374540a 5.2/SRPMS/glibc-2.0.7-29.2.src.rpm
ef8f379f37e9fde8f67c087db45570c2 5.2/alpha/glibc-2.0.7-29.2.alpha.rpm
0d39f139ea5b23d08b5f3241a23d0731 5.2/alpha/glibc-debug-2.0.7-29.2.alpha.rpm
81e6df8260f301f5934910451fa14786 5.2/alpha/glibc-devel-2.0.7-29.2.alpha.rpm
658f0a9982cad961ab590e6cca5f1b6a 5.2/alpha/glibc-profile-2.0.7-29.2.alpha.rpm
b9963bc927e540815df84d64ba3b94c0 5.2/i386/glibc-2.0.7-29.2.i386.rpm
fc0c7b551073a9bffb65c49dba4800f3 5.2/i386/glibc-debug-2.0.7-29.2.i386.rpm
e0795db373902c9e2ffadc0c32dbbfff 5.2/i386/glibc-devel-2.0.7-29.2.i386.rpm
1b4d3d34588b19374fe6b29c6147bbcc 5.2/i386/glibc-profile-2.0.7-29.2.i386.rpm
dc215c32131cb25628a6be096dd3e539 5.2/sparc/glibc-2.0.7-29.2.sparc.rpm
19b3c1dd1f4f63885343202ae4ddb73c 5.2/sparc/glibc-debug-2.0.7-29.2.sparc.rpm
fb1c1437e8652cf799666198785c6890 5.2/sparc/glibc-devel-2.0.7-29.2.sparc.rpm
bcd19af1741f2704f38e74e89506bb86 5.2/sparc/glibc-profile-2.0.7-29.2.sparc.rpm
ab3e9097d3b105d0011befa30b75592e 6.2/SRPMS/glibc-2.1.3-19.src.rpm
96348fca0030190f920eb3e4769494bc 6.2/alpha/glibc-2.1.3-19.alpha.rpm
aff1e8a826da615c8737d2723618939e 6.2/alpha/glibc-devel-2.1.3-19.alpha.rpm
5a10a0874d44e9cb2a22c65c11d35062 6.2/alpha/glibc-profile-2.1.3-19.alpha.rpm
9136b639e89a8b873055cf259d711576 6.2/alpha/nscd-2.1.3-19.alpha.rpm
cb42ed08fea80af2f292ae2a6e3cc0a1 6.2/i386/glibc-2.1.3-19.i386.rpm
86a4b0d01f6a2b254b109c7a8078c3df 6.2/i386/glibc-devel-2.1.3-19.i386.rpm
2e93114d8487ba44d9a8c2be74e1d160 6.2/i386/glibc-profile-2.1.3-19.i386.rpm
0b9120417f2647a22992c98987218874 6.2/i386/nscd-2.1.3-19.i386.rpm
aa96cbcabf21eefb06df8d1f7da79ed8 6.2/sparc/glibc-2.1.3-19.sparc.rpm
a7cd77d25a30d2bfe884bd2dfd66cf04 6.2/sparc/glibc-devel-2.1.3-19.sparc.rpm
6ba0b5a628b226e0cc9cc2ba8d419f84 6.2/sparc/glibc-profile-2.1.3-19.sparc.rpm
3b93647462f192058c646e841c7a804f 6.2/sparc/nscd-2.1.3-19.sparc.rpm
94e92becb2c06e0e67b2cd39c8b19b14 6.2/sparcv9/glibc-2.1.3-19.sparcv9.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key is available at:
http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
rpm --checksig

If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg

8. References:

http://www.securityfocus.com/templates/archive.pike?threads=0&start=2000-08-27&mid=79537&fromthread=1&list=1&end=2000-09-02&

Copyright(c) 2000 Red Hat, Inc.