Date: Wed, 6 Sep 2000 12:32:37 +0200
From: Roman Drahtmueller draht@suse.de
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: SuSE Security Announcement: shlibs (glibc)
SuSE Security Announcement
Package: shlibs (glibc-2.0, glibc-2.1)
Date: Wednesday, September 6th, 2000 12:30 MEST
Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0
Vulnerability Type: local root compromise
Severity (1-10): 9
SuSE default package: yes
Other affected systems: all glibc based linux systems, other
Un*x systems
Content of this advisory:
1) security vulnerability resolved: shlibs (glibc)
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, temporary workarounds
3) standard appendix (further information)
1) problem description, brief discussion, solution, upgrade
information
The glibc implementations in all SuSE distributions starting
with SuSE-6.0 have multiple security problems where at least one of
them allows any local user to gain root access to the system.
a) ld-linux.so.2, the runtime linker, is supposed to clean
environment variables that may influence the execution of programs
ran by a suid program. Variables of that kind include
LD_LIBRARY_PATH and LD_PRELOAD. These variables do not have any
effect on the suid application itself since the linker ignores
them. However, if the suid program executes another non-suid
application without dropping privileges and without cleaning the
environment, the LD_* variables would allow an attacker to execute
arbitrary code as the effective uid of the calling suid program.
There is currently no program in the SuSE distribution known to be
susceptible to this problem.
b) locale handling portions of the glibc code fails to properly
check given environment settings such as the variable LANGUAGE.
This could lead to arbitrary code being executed as root, depending
on the permissions and ownerships of the program being used for the
exploit.
c) A bug in the mutex handling code in the shlibs version for
SuSE-7.0 could cause multithreaded applications to hang or crash.
This has also been fixed.
There is only one way to temporarily circumvent the exploit:
Disable all suid applications in the system.
SuSE provides a updated packages for the vulnerable libraries.
It is strongly recommended to upgrade to the latest version found
on our ftp server as described below. The update packages remove
all currently known security problems in the glibc package.
Download the update packages as described below and install the
package with the command `rpm -Fhv file.rpm'. The md5sum for each
file is in the line below. You can verify the integrity of the rpm
files using the command
`rpm --checksig --nogpg file.rpm',
independently from the md5 signatures below.
SPECIAL INSTALL INSTRUCTIONS: Note that the complete update
consists of three (3) binary rpm packages and one source rpm
package per distribution and platform. libc-*.rpm contains the
static libraries, libd is the package for the profiling+debugging
version of the libraries.
If at all possible, keep your machine calm while you perform the
update. Execute the following commands after the rpm update has
been applied:
/sbin/ldconfig # alternatively, use SuSEconfig
/sbin/init u # will restart init to make a clean shutdown
# possible once needed.
2) Pending vulnerabilities in SuSE Distributions and
Workarounds:
This section addresses currently known vulnerabilities in
Linux/Unix systems that have not been resolved yet as of the
release date of this advisory.
- screen
local root compromise. Update+advisory follows this advisory.
- zope
SuSE distributions before 7.0 do not contain zope as a package.
An updated package for the freshly released SuSE-7.0 is on the way.
- xchat
A fix for the URL handler vulnerabilty is in progress and will
be released within a few days. There is currently no effective
and easy workaround other than removing the package by hand
(`rpm -e xchat'). More information on xchat can be found in
xchat's documentation directory /usr/doc/packages/xchat or
/usr/share/doc/packages/xchat for SuSE-7.0.
3) standard appendix:
SuSE runs two security mailing lists to which any interested
party may subscribe: