---

Red Hat Security Advisory: glibc vulnerabilities in ld.so, locale and gettext

Date: Fri, 1 Sep 2000 15:37 -0400
From: [email protected]
To: [email protected]
Subject: [RHSA-2000:057-02] glibc vulnerabilities in ld.so, locale
and gettext


                   Red Hat, Inc. Security Advisory

Synopsis:          glibc vulnerabilities in ld.so, locale and gettext
Advisory ID:       RHSA-2000:057-01
Issue date:        2000-09-01
Updated on:        2000-09-01
Product:           Red Hat Linux
Keywords:          glibc ld.so locale LANG gettext LD_PRELOAD threads
Cross references:  N/A

1. Topic:

Several bugs were discovered in glibc which could allow local
users to gain root privileges.

2. Relevant releases/architectures:

Red Hat Linux 5.0 – i386, alpha
Red Hat Linux 5.1 – i386, alpha, sparc
Red Hat Linux 5.2 – i386, alpha, sparc
Red Hat Linux 6.0 – i386, alpha, sparc
Red Hat Linux 6.1 – i386, alpha, sparc, sparcv9
Red Hat Linux 6.2 – i386, alpha, sparc, sparcv9

3. Problem description:

The dynamic linker ld.so uses several environment variables like
LD_PRELOAD and LD_LIBRARY_PATH to load additional libraries or
modify the library search path. It is unsafe to accept arbitrary
user specified values of these variables when executing setuid
applications, so ld.so handles them specially in setuid programs
and also removes them from the environment.

One of the discovered bugs causes these variables not to be
removed from the environment under certain circumstances. This does
not cause any threat to setuid application themselves, but it could
be exploited if a setuid application does not either drop
privileges or clean up its environment prior to executing other
programs.

A number of additional bugs have been found in glibc locale and
internationalization security checks. In internationalized
programs, users are permitted to select a locale or choose message
catalogues using environment variables such as LANG or LC_*. The
content of these variables is then used as part of pathnames for
searching message catalogues or locale files.

Normally, if these variables contain “/” characters, a program
can load the internationalization files from arbitrary directories.
This is unnacceptable for setuid programs, which is why glibc does
not allow certain settings of these variables if the program is
setuid or setgid. However, some of these checks were done in
inappropriate places, contained bugs or were completely missing. It
is highly probable that some of these bugs can be used for local
root exploits.

The Red Hat Linux 6.x updates also fix a linuxthreads deadlock
bug and handling of certain values of the TZ environment
variable.

4. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla
for more info):

13785 – Bug in pthreads blocks ability to preempt suspend and
resume threads on SMP machines

6. RPMs required:

Red Hat Linux 5.x:

sparc:
ftp://updates.redhat.com/5.2/sparc/glibc-2.0.7-29.2.sparc.rpm


ftp://updates.redhat.com/5.2/sparc/glibc-debug-2.0.7-29.2.sparc.rpm


ftp://updates.redhat.com/5.2/sparc/glibc-devel-2.0.7-29.2.sparc.rpm


ftp://updates.redhat.com/5.2/sparc/glibc-profile-2.0.7-29.2.sparc.rpm

alpha:
ftp://updates.redhat.com/5.2/alpha/glibc-2.0.7-29.2.alpha.rpm


ftp://updates.redhat.com/5.2/alpha/glibc-debug-2.0.7-29.2.alpha.rpm


ftp://updates.redhat.com/5.2/alpha/glibc-devel-2.0.7-29.2.alpha.rpm


ftp://updates.redhat.com/5.2/alpha/glibc-profile-2.0.7-29.2.alpha.rpm

i386:
ftp://updates.redhat.com/5.2/i386/glibc-2.0.7-29.2.i386.rpm


ftp://updates.redhat.com/5.2/i386/glibc-debug-2.0.7-29.2.i386.rpm


ftp://updates.redhat.com/5.2/i386/glibc-devel-2.0.7-29.2.i386.rpm


ftp://updates.redhat.com/5.2/i386/glibc-profile-2.0.7-29.2.i386.rpm

sources:
ftp://updates.redhat.com/5.2/SRPMS/glibc-2.0.7-29.2.src.rpm

Red Hat Linux 6.x:

sparc:
ftp://updates.redhat.com/6.2/sparc/glibc-2.1.3-19.sparc.rpm


ftp://updates.redhat.com/6.2/sparc/glibc-devel-2.1.3-19.sparc.rpm


ftp://updates.redhat.com/6.2/sparc/glibc-profile-2.1.3-19.sparc.rpm

ftp://updates.redhat.com/6.2/sparc/nscd-2.1.3-19.sparc.rpm

i386:
ftp://updates.redhat.com/6.2/i386/glibc-2.1.3-19.i386.rpm

ftp://updates.redhat.com/6.2/i386/glibc-devel-2.1.3-19.i386.rpm


ftp://updates.redhat.com/6.2/i386/glibc-profile-2.1.3-19.i386.rpm

ftp://updates.redhat.com/6.2/i386/nscd-2.1.3-19.i386.rpm

alpha:
ftp://updates.redhat.com/6.2/alpha/glibc-2.1.3-19.alpha.rpm


ftp://updates.redhat.com/6.2/alpha/glibc-devel-2.1.3-19.alpha.rpm


ftp://updates.redhat.com/6.2/alpha/glibc-profile-2.1.3-19.alpha.rpm

ftp://updates.redhat.com/6.2/alpha/nscd-2.1.3-19.alpha.rpm

sparcv9:
ftp://updates.redhat.com/6.2/sparcv9/glibc-2.1.3-19.sparcv9.rpm

sources:
ftp://updates.redhat.com/6.2/SRPMS/glibc-2.1.3-19.src.rpm

7. Verification:

MD5 sum                           Package Name

6ca1331b30257a5a34417d9e3374540a 5.2/SRPMS/glibc-2.0.7-29.2.src.rpm
ef8f379f37e9fde8f67c087db45570c2 5.2/alpha/glibc-2.0.7-29.2.alpha.rpm
0d39f139ea5b23d08b5f3241a23d0731 5.2/alpha/glibc-debug-2.0.7-29.2.alpha.rpm
81e6df8260f301f5934910451fa14786 5.2/alpha/glibc-devel-2.0.7-29.2.alpha.rpm
658f0a9982cad961ab590e6cca5f1b6a 5.2/alpha/glibc-profile-2.0.7-29.2.alpha.rpm
b9963bc927e540815df84d64ba3b94c0 5.2/i386/glibc-2.0.7-29.2.i386.rpm
fc0c7b551073a9bffb65c49dba4800f3 5.2/i386/glibc-debug-2.0.7-29.2.i386.rpm
e0795db373902c9e2ffadc0c32dbbfff 5.2/i386/glibc-devel-2.0.7-29.2.i386.rpm
1b4d3d34588b19374fe6b29c6147bbcc 5.2/i386/glibc-profile-2.0.7-29.2.i386.rpm
dc215c32131cb25628a6be096dd3e539 5.2/sparc/glibc-2.0.7-29.2.sparc.rpm
19b3c1dd1f4f63885343202ae4ddb73c 5.2/sparc/glibc-debug-2.0.7-29.2.sparc.rpm
fb1c1437e8652cf799666198785c6890 5.2/sparc/glibc-devel-2.0.7-29.2.sparc.rpm
bcd19af1741f2704f38e74e89506bb86 5.2/sparc/glibc-profile-2.0.7-29.2.sparc.rpm
ab3e9097d3b105d0011befa30b75592e 6.2/SRPMS/glibc-2.1.3-19.src.rpm
96348fca0030190f920eb3e4769494bc 6.2/alpha/glibc-2.1.3-19.alpha.rpm
aff1e8a826da615c8737d2723618939e 6.2/alpha/glibc-devel-2.1.3-19.alpha.rpm
5a10a0874d44e9cb2a22c65c11d35062 6.2/alpha/glibc-profile-2.1.3-19.alpha.rpm
9136b639e89a8b873055cf259d711576 6.2/alpha/nscd-2.1.3-19.alpha.rpm
cb42ed08fea80af2f292ae2a6e3cc0a1 6.2/i386/glibc-2.1.3-19.i386.rpm
86a4b0d01f6a2b254b109c7a8078c3df 6.2/i386/glibc-devel-2.1.3-19.i386.rpm
2e93114d8487ba44d9a8c2be74e1d160 6.2/i386/glibc-profile-2.1.3-19.i386.rpm
0b9120417f2647a22992c98987218874 6.2/i386/nscd-2.1.3-19.i386.rpm
aa96cbcabf21eefb06df8d1f7da79ed8 6.2/sparc/glibc-2.1.3-19.sparc.rpm
a7cd77d25a30d2bfe884bd2dfd66cf04 6.2/sparc/glibc-devel-2.1.3-19.sparc.rpm
6ba0b5a628b226e0cc9cc2ba8d419f84 6.2/sparc/glibc-profile-2.1.3-19.sparc.rpm
3b93647462f192058c646e841c7a804f 6.2/sparc/nscd-2.1.3-19.sparc.rpm
94e92becb2c06e0e67b2cd39c8b19b14 6.2/sparcv9/glibc-2.1.3-19.sparcv9.rpm

These packages are GPG signed by Red Hat, Inc. for security. Our
key is available at:
http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
rpm –checksig

If you only wish to verify that each package has not been
corrupted or tampered with, examine only the md5sum with the
following command:
rpm –checksig –nogpg

8. References:


http://www.securityfocus.com/templates/archive.pike?threads=0&start=2000-08-27&mid=79537&fromthread=1&list=1&end=2000-09-02&

Copyright(c) 2000 Red Hat, Inc.