Date: Wed, 6 Sep 2000 12:32:37 +0200
From: Roman Drahtmueller draht@suse.de
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: SuSE Security Announcement: shlibs (glibc)
SuSE Security Announcement Package: shlibs (glibc-2.0, glibc-2.1) Date: Wednesday, September 6th, 2000 12:30 MEST Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0 Vulnerability Type: local root compromise Severity (1-10): 9 SuSE default package: yes Other affected systems: all glibc based linux systems, other Un*x systems Content of this advisory: 1) security vulnerability resolved: shlibs (glibc) problem description, discussion, solution and upgrade information 2) pending vulnerabilities, temporary workarounds 3) standard appendix (further information)
1) problem description, brief discussion, solution, upgrade
information
The glibc implementations in all SuSE distributions starting
with SuSE-6.0 have multiple security problems where at least one of
them allows any local user to gain root access to the system.
a) ld-linux.so.2, the runtime linker, is supposed to clean
environment variables that may influence the execution of programs
ran by a suid program. Variables of that kind include
LD_LIBRARY_PATH and LD_PRELOAD. These variables do not have any
effect on the suid application itself since the linker ignores
them. However, if the suid program executes another non-suid
application without dropping privileges and without cleaning the
environment, the LD_* variables would allow an attacker to execute
arbitrary code as the effective uid of the calling suid program.
There is currently no program in the SuSE distribution known to be
susceptible to this problem.
b) locale handling portions of the glibc code fails to properly
check given environment settings such as the variable LANGUAGE.
This could lead to arbitrary code being executed as root, depending
on the permissions and ownerships of the program being used for the
exploit.
c) A bug in the mutex handling code in the shlibs version for
SuSE-7.0 could cause multithreaded applications to hang or crash.
This has also been fixed.
There is only one way to temporarily circumvent the exploit:
Disable all suid applications in the system.
SuSE provides a updated packages for the vulnerable libraries.
It is strongly recommended to upgrade to the latest version found
on our ftp server as described below. The update packages remove
all currently known security problems in the glibc package.
Download the update packages as described below and install the
package with the command `rpm -Fhv file.rpm’. The md5sum for each
file is in the line below. You can verify the integrity of the rpm
files using the command
`rpm –checksig –nogpg file.rpm’,
independently from the md5 signatures below.
SPECIAL INSTALL INSTRUCTIONS: Note that the complete update
consists of three (3) binary rpm packages and one source rpm
package per distribution and platform. libc-*.rpm contains the
static libraries, libd is the package for the profiling+debugging
version of the libraries.
If at all possible, keep your machine calm while you perform the
update. Execute the following commands after the rpm update has
been applied:
/sbin/ldconfig # alternatively, use SuSEconfig /sbin/init u # will restart init to make a clean shutdown # possible once needed.
i386 Intel Platform:
SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/shlibs-2.1.3-154.i386.rpm
753176172ebf628c6567c70a9b950933
ftp://ftp.suse.com/pub/suse/i386/update/7.0/d1/libc-2.1.3-154.i386.rpm
0f0696fc359cdb7b13f40a52d6676f09
ftp://ftp.suse.com/pub/suse/i386/update/7.0/d2/libd-2.1.3-154.i386.rpm
4ca3268f91a9294313cf871e9f7cb8b8
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/libc-2.1.3-154.src.rpm
a6af3232fe6d474d6309c68469c126ec
SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/a1/shlibs-2.1.3-154.i386.rpm
150dcb3854b066c021c396b4a0fe25e6
ftp://ftp.suse.com/pub/suse/i386/update/6.4/d1/libc-2.1.3-154.i386.rpm
75c9aef75d6e7e4b196c21bb500d00e0
ftp://ftp.suse.com/pub/suse/i386/update/6.4/d2/libd-2.1.3-154.i386.rpm
47fff508b0b67a82356361aa23c8beae
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/libc-2.1.3-154.src.rpm
bfeaa4e15ecbe1fea986b710152b5fec
SuSE-6.3
ftp://ftp.suse.com/pub/suse/i386/update/6.3/a1/shlibs-2.1.2-47.i386.rpm
8e88f237414a4d8f96131b17267b4d53
ftp://ftp.suse.com/pub/suse/i386/update/6.3/d1/libc-2.1.2-47.i386.rpm
575bb0c94474add7ae02333cbb77cba0
ftp://ftp.suse.com/pub/suse/i386/update/6.3/d2/libd-2.1.2-47.i386.rpm
8728db143b6393a261aa9060d9321345
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/libc-2.1.2-47.src.rpm
eea1810dceafe5e7f77b4b5137829834
SuSE-6.2
ftp://ftp.suse.com/pub/suse/i386/update/6.2/a1/shlibs-2.1.1-29.i386.rpm
78360eddc58f3897a14327d2fa214191
ftp://ftp.suse.com/pub/suse/i386/update/6.2/d1/libc-2.1.1-29.i386.rpm
456cad1d8034d40ebbf8337d1308c4de
ftp://ftp.suse.com/pub/suse/i386/update/6.2/d2/libd-2.1.1-29.i386.rpm
6dccdf557c6d329b40238a1644368564
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/libc-2.1.1-29.src.rpm
cec489c212826cb2dcc65a602da61da3
SuSE-6.1
ftp://ftp.suse.com/pub/suse/i386/update/6.1/a1/shlibs-2000.9.5-0.i386.rpm
7a272e7f15fd2dec69401d4c788de015
ftp://ftp.suse.com/pub/suse/i386/update/6.1/d1/libc-2000.9.5-0.i386.rpm
c748944bbe8a55f69478e6ef0bda843a
ftp://ftp.suse.com/pub/suse/i386/update/6.1/d2/libd-2000.9.5-0.i386.rpm
7fce2e2e41b62dc985e48ee31f6dac1c
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/libc-2000.9.5-0.src.rpm
77fa60f5a3a10e02460bd1960b1f78f6
Please use the packages from the SuSE-6.1 directory for
SuSE-6.0!
Sparc Platform:
SuSE-7.0:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/a1/shlibs-2.1.3-154.sparc.rpm
1563171d7ee17a3048500afd4424927d
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/d1/libc-2.1.3-154.sparc.rpm
a907fbb3e5e48664cadb6b75570e15b2
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/d2/libd-2.1.3-154.sparc.rpm
f60071e3a497e3af48078338b3bd6610
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/libc-2.1.3-154.src.rpm
690a34f9ddb6bd6edf41a07d5fba0ad4
AXP Alpha Platform:
SuSE-6.4
ftp://ftp.suse.com/pub/suse/axp/update/6.4/a1/shlibs-2.1.3-154.alpha.rpm
d08a782d1dc1cc406b2141727295befe
ftp://ftp.suse.com/pub/suse/axp/update/6.4/d1/libc-2.1.3-154.alpha.rpm
730c9b3c98f9d243c09ce41c5c4240a5
ftp://ftp.suse.com/pub/suse/axp/update/6.4/d2/libd-2.1.3-154.alpha.rpm
0c2ba3d11a42d84f48b1ee79a15e36b2
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/libc-2.1.3-154.src.rpm
a5f2a207c6f8b179bbd91cea9c96711d
SuSE-6.3
ftp://ftp.suse.com/pub/suse/axp/update/6.3/a1/shlibs-2.1.2-47.alpha.rpm
afc0ac7f3db066702fbd19bfaa216751
ftp://ftp.suse.com/pub/suse/axp/update/6.3/d1/libc-2.1.2-47.alpha.rpm
3530ef711231a5b378d14fe70e2971f6
ftp://ftp.suse.com/pub/suse/axp/update/6.3/d2/libd-2.1.2-47.alpha.rpm
5836a7a1557046b0c3498b7dec1ee436
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/libc-2.1.2-47.src.rpm
0100769ad09d68563a7540ba73c826d7
SuSE-6.1
ftp://ftp.suse.com/pub/suse/axp/update/6.1/a1/shlibs-2000.9.5-0.alpha.rpm
64c59dcb13069293694faf845446463e
ftp://ftp.suse.com/pub/suse/axp/update/6.1/d1/libc-2000.9.5-0.alpha.rpm
2b8df961dcfb42933cdf298f9229cffd
ftp://ftp.suse.com/pub/suse/axp/update/6.1/d2/libd-2000.9.5-0.alpha.rpm
75dd4bcfb0bf2cc64fe8dd5bfc4a69f0
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/libc-2000.9.5-0.src.rpm
11871baa8279f8c0c79f6c9d95ca531c
PPC Power PC Platform:
SuSE-6.4
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/a1/shlibs-2.1.3-154.ppc.rpm
8565cd463e4fbbccc39aa96f1eefdc70
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/d1/libc-2.1.3-154.ppc.rpm
987ed3d338fb7c42083cf6dd2057ce0b
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/d2/libd-2.1.3-154.ppc.rpm
a212f188cf31d55c2016236d2c313cf4
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/libc-2.1.3-154.src.rpm
401b4f2f306a065fb04edd89cd153364
2) Pending vulnerabilities in SuSE Distributions and
Workarounds:
This section addresses currently known vulnerabilities in
Linux/Unix systems that have not been resolved yet as of the
release date of this advisory.
- screen local root compromise. Update+advisory follows this advisory. - zope SuSE distributions before 7.0 do not contain zope as a package. An updated package for the freshly released SuSE-7.0 is on the way. - xchat A fix for the URL handler vulnerabilty is in progress and will be released within a few days. There is currently no effective and easy workaround other than removing the package by hand (`rpm -e xchat'). More information on xchat can be found in xchat's documentation directory /usr/doc/packages/xchat or /usr/share/doc/packages/xchat for SuSE-7.0.
3) standard appendix:
SuSE runs two security mailing lists to which any interested
party may subscribe:
suse-security@suse.com
– general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list. To
subscribe, send an email to suse-security-subscribe@suse.com.
suse-security-announce@suse.com
– SuSE’s announce-only mailing list.
Only SuSE’s security annoucements are sent to this list. To
subscribe, send an email to suse-security-announce-subscribe@suse.com.
For general information or the frequently asked questions (faq)
send mail to:
suse-security-info@suse.com
or
suse-security-faq@suse.com
respectively.
SuSE’s security contact is security@suse.com.
Regards,
Roman Drahtmüller.
– – —
- - | Roman Drahtmüller draht@suse.de // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -