Date: Wed, 24 Jan 2001 13:04:50 -0700
From: Caldera Support Info sup-info@LOCUTUS4.CALDERASYSTEMS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Security update: CSSA-2001-007.0 glibc security
problems
Caldera Systems, Inc. Security Advisory
Subject: glibc security problems
Advisory number: CSSA-2001-007.0
Issue date: 2001 January, 23
Cross reference:
1. Problem Description
The ELF shared library loader that is part of glibc supports the
LD_PRELOAD environment variable that lets a user request that
additional shared libraries should be loaded when starting a
program. Normally, this feature should be disabled for setuid
applications because of its security implications.
However, the loader from glibc 2.1.1 and 2.1.3 will honor this
variable even in setuid applications as long as it doesn’t contain
a slash. As a result, a user can ask that arbitrary libraries from
“system” directories can be loaded (i.e. from those directories
listed in /etc/ld.so.conf).
This is a serious security problem and can be exploited to
overwrite arbitrary files on the system, for instance.
2. Vulnerable Versions
System Package
OpenLinux 2.3 All packages previous to
glibc-2.1.3-6OL
OpenLinux eServer 2.3.1 All packages previous to
and OpenLinux eBuilder glibc-2.1.3-6S
OpenLinux eDesktop 2.4 All packages previous to
glibc-2.1.3-6
3. Solution
Workaround
none
The proper solution is to upgrade to the latest packages.
4. OpenLinux 2.3
4.1 Location of Fixed Packages
The upgrade packages can be found on Caldera’s FTP site at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
4.2 Verification
9dc46298c12e4ce5878c449477c8eaaf RPMS/glibc-2.1.3-6OL.i386.rpm
314e8df8a22a8a91ebcec87458256631 RPMS/glibc-devel-2.1.3-6OL.i386.rpm
1abc6e241431080fd8518537c2bfe05c RPMS/glibc-devel-static-2.1.3-6OL.i386.rpm
0417ac3f91cdb70844cdcfccfa002df2 RPMS/glibc-localedata-2.1.3-6OL.i386.rpm
a20d073239a2954eae0e309b904ddf8b SRPMS/glibc-2.1.3-6OL.src.rpm
4.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fhv glibc-*i386.rpm
5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential
3.0
5.1 Location of Fixed Packages
The upgrade packages can be found on Caldera’s FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
5.2 Verification
d39b9c6ac5ac1df9e80697378523c5f6 RPMS/glibc-2.1.3-6S.i386.rpm
e7b5b186cf417d85019cdc8ae4ecd5b7 RPMS/glibc-devel-2.1.3-6S.i386.rpm
a27c78c47fa17828371af34acafc3116 RPMS/glibc-devel-static-2.1.3-6S.i386.rpm
02119c37b969a3542902d71c6928509d RPMS/glibc-localedata-2.1.3-6S.i386.rpm
b73f5ccb9f77285ee015f04b03d3aeed SRPMS/glibc-2.1.3-6S.src.rpm
5.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh glibc-*i386.rpm
6. OpenLinux eDesktop 2.4
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera’s FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
6.2 Verification
a858ce863ee8dccaadb68e5be00a9d20 RPMS/glibc-2.1.3-6.i386.rpm
e92757ff035c8d951667f10b710fa176 RPMS/glibc-devel-2.1.3-6.i386.rpm
deb77710633dfc7adc464eef059c7b09 RPMS/glibc-devel-static-2.1.3-6.i386.rpm
2595931b57b6d7023cfdf8216eb33deb RPMS/glibc-localedata-2.1.3-6.i386.rpm
050f35604750f406d952bca68ceb128e SRPMS/glibc-2.1.3-6.src.rpm
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh glibc-*i386.rpm
7. References
This and other Caldera security resources are located at:
http://www.calderasystems.com/support/security/index.html
This security fix closes Caldera’s internal Problem Report
8730.
8. Disclaimer
Caldera Systems, Inc. is not responsible for the misuse of any
of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera
OpenLinux.
9. Acknowledgements
Caldera Systems, Inc. wishes to thank the people at Wirex, and
Solar Designer, for their input.
Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.
LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.