---

SuSE Security Announcement: shlibs (glibc)

Date: Wed, 6 Sep 2000 12:32:37 +0200
From: Roman Drahtmueller [email protected]
To: [email protected]
Subject: SuSE Security Announcement: shlibs (glibc)


                        SuSE Security Announcement

        Package:                shlibs (glibc-2.0, glibc-2.1)
        Date:                   Wednesday, September 6th, 2000 12:30 MEST
        Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0
        Vulnerability Type:     local root compromise
        Severity (1-10):        9
        SuSE default package:   yes
        Other affected systems: all glibc based linux systems, other
                                                        Un*x systems

    Content of this advisory:
        1) security vulnerability resolved: shlibs (glibc)
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, temporary workarounds
        3) standard appendix (further information)

1) problem description, brief discussion, solution, upgrade
information

The glibc implementations in all SuSE distributions starting
with SuSE-6.0 have multiple security problems where at least one of
them allows any local user to gain root access to the system.

a) ld-linux.so.2, the runtime linker, is supposed to clean
environment variables that may influence the execution of programs
ran by a suid program. Variables of that kind include
LD_LIBRARY_PATH and LD_PRELOAD. These variables do not have any
effect on the suid application itself since the linker ignores
them. However, if the suid program executes another non-suid
application without dropping privileges and without cleaning the
environment, the LD_* variables would allow an attacker to execute
arbitrary code as the effective uid of the calling suid program.
There is currently no program in the SuSE distribution known to be
susceptible to this problem.

b) locale handling portions of the glibc code fails to properly
check given environment settings such as the variable LANGUAGE.
This could lead to arbitrary code being executed as root, depending
on the permissions and ownerships of the program being used for the
exploit.

c) A bug in the mutex handling code in the shlibs version for
SuSE-7.0 could cause multithreaded applications to hang or crash.
This has also been fixed.

There is only one way to temporarily circumvent the exploit:
Disable all suid applications in the system.

SuSE provides a updated packages for the vulnerable libraries.
It is strongly recommended to upgrade to the latest version found
on our ftp server as described below. The update packages remove
all currently known security problems in the glibc package.

Download the update packages as described below and install the
package with the command `rpm -Fhv file.rpm’. The md5sum for each
file is in the line below. You can verify the integrity of the rpm
files using the command
`rpm –checksig –nogpg file.rpm’,
independently from the md5 signatures below.

SPECIAL INSTALL INSTRUCTIONS: Note that the complete update
consists of three (3) binary rpm packages and one source rpm
package per distribution and platform. libc-*.rpm contains the
static libraries, libd is the package for the profiling+debugging
version of the libraries.

If at all possible, keep your machine calm while you perform the
update. Execute the following commands after the rpm update has
been applied:

            /sbin/ldconfig      # alternatively, use SuSEconfig
            /sbin/init u        # will restart init to make a clean shutdown
                                # possible once needed.

i386 Intel Platform:

SuSE-7.0

ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/shlibs-2.1.3-154.i386.rpm

753176172ebf628c6567c70a9b950933

ftp://ftp.suse.com/pub/suse/i386/update/7.0/d1/libc-2.1.3-154.i386.rpm

0f0696fc359cdb7b13f40a52d6676f09

ftp://ftp.suse.com/pub/suse/i386/update/7.0/d2/libd-2.1.3-154.i386.rpm

4ca3268f91a9294313cf871e9f7cb8b8
source rpm:

ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/libc-2.1.3-154.src.rpm

a6af3232fe6d474d6309c68469c126ec

SuSE-6.4

ftp://ftp.suse.com/pub/suse/i386/update/6.4/a1/shlibs-2.1.3-154.i386.rpm

150dcb3854b066c021c396b4a0fe25e6

ftp://ftp.suse.com/pub/suse/i386/update/6.4/d1/libc-2.1.3-154.i386.rpm

75c9aef75d6e7e4b196c21bb500d00e0

ftp://ftp.suse.com/pub/suse/i386/update/6.4/d2/libd-2.1.3-154.i386.rpm

47fff508b0b67a82356361aa23c8beae
source rpm:

ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/libc-2.1.3-154.src.rpm

bfeaa4e15ecbe1fea986b710152b5fec

SuSE-6.3

ftp://ftp.suse.com/pub/suse/i386/update/6.3/a1/shlibs-2.1.2-47.i386.rpm

8e88f237414a4d8f96131b17267b4d53

ftp://ftp.suse.com/pub/suse/i386/update/6.3/d1/libc-2.1.2-47.i386.rpm

575bb0c94474add7ae02333cbb77cba0

ftp://ftp.suse.com/pub/suse/i386/update/6.3/d2/libd-2.1.2-47.i386.rpm

8728db143b6393a261aa9060d9321345
source rpm:

ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/libc-2.1.2-47.src.rpm

eea1810dceafe5e7f77b4b5137829834

SuSE-6.2

ftp://ftp.suse.com/pub/suse/i386/update/6.2/a1/shlibs-2.1.1-29.i386.rpm

78360eddc58f3897a14327d2fa214191

ftp://ftp.suse.com/pub/suse/i386/update/6.2/d1/libc-2.1.1-29.i386.rpm

456cad1d8034d40ebbf8337d1308c4de

ftp://ftp.suse.com/pub/suse/i386/update/6.2/d2/libd-2.1.1-29.i386.rpm

6dccdf557c6d329b40238a1644368564
source rpm:

ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/libc-2.1.1-29.src.rpm

cec489c212826cb2dcc65a602da61da3

SuSE-6.1

ftp://ftp.suse.com/pub/suse/i386/update/6.1/a1/shlibs-2000.9.5-0.i386.rpm

7a272e7f15fd2dec69401d4c788de015

ftp://ftp.suse.com/pub/suse/i386/update/6.1/d1/libc-2000.9.5-0.i386.rpm

c748944bbe8a55f69478e6ef0bda843a

ftp://ftp.suse.com/pub/suse/i386/update/6.1/d2/libd-2000.9.5-0.i386.rpm

7fce2e2e41b62dc985e48ee31f6dac1c
source rpm:

ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/libc-2000.9.5-0.src.rpm

77fa60f5a3a10e02460bd1960b1f78f6

Please use the packages from the SuSE-6.1 directory for
SuSE-6.0!

Sparc Platform:

SuSE-7.0:

ftp://ftp.suse.com/pub/suse/sparc/update/7.0/a1/shlibs-2.1.3-154.sparc.rpm

1563171d7ee17a3048500afd4424927d

ftp://ftp.suse.com/pub/suse/sparc/update/7.0/d1/libc-2.1.3-154.sparc.rpm

a907fbb3e5e48664cadb6b75570e15b2

ftp://ftp.suse.com/pub/suse/sparc/update/7.0/d2/libd-2.1.3-154.sparc.rpm

f60071e3a497e3af48078338b3bd6610
source rpm:

ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/libc-2.1.3-154.src.rpm

690a34f9ddb6bd6edf41a07d5fba0ad4

AXP Alpha Platform:

SuSE-6.4

ftp://ftp.suse.com/pub/suse/axp/update/6.4/a1/shlibs-2.1.3-154.alpha.rpm

d08a782d1dc1cc406b2141727295befe

ftp://ftp.suse.com/pub/suse/axp/update/6.4/d1/libc-2.1.3-154.alpha.rpm

730c9b3c98f9d243c09ce41c5c4240a5

ftp://ftp.suse.com/pub/suse/axp/update/6.4/d2/libd-2.1.3-154.alpha.rpm

0c2ba3d11a42d84f48b1ee79a15e36b2
source rpm:

ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/libc-2.1.3-154.src.rpm

a5f2a207c6f8b179bbd91cea9c96711d

SuSE-6.3

ftp://ftp.suse.com/pub/suse/axp/update/6.3/a1/shlibs-2.1.2-47.alpha.rpm

afc0ac7f3db066702fbd19bfaa216751

ftp://ftp.suse.com/pub/suse/axp/update/6.3/d1/libc-2.1.2-47.alpha.rpm

3530ef711231a5b378d14fe70e2971f6

ftp://ftp.suse.com/pub/suse/axp/update/6.3/d2/libd-2.1.2-47.alpha.rpm

5836a7a1557046b0c3498b7dec1ee436
source rpm:

ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/libc-2.1.2-47.src.rpm

0100769ad09d68563a7540ba73c826d7

SuSE-6.1

ftp://ftp.suse.com/pub/suse/axp/update/6.1/a1/shlibs-2000.9.5-0.alpha.rpm

64c59dcb13069293694faf845446463e

ftp://ftp.suse.com/pub/suse/axp/update/6.1/d1/libc-2000.9.5-0.alpha.rpm

2b8df961dcfb42933cdf298f9229cffd

ftp://ftp.suse.com/pub/suse/axp/update/6.1/d2/libd-2000.9.5-0.alpha.rpm

75dd4bcfb0bf2cc64fe8dd5bfc4a69f0
source rpm:

ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/libc-2000.9.5-0.src.rpm

11871baa8279f8c0c79f6c9d95ca531c

PPC Power PC Platform:

SuSE-6.4

ftp://ftp.suse.com/pub/suse/ppc/update/6.4/a1/shlibs-2.1.3-154.ppc.rpm

8565cd463e4fbbccc39aa96f1eefdc70

ftp://ftp.suse.com/pub/suse/ppc/update/6.4/d1/libc-2.1.3-154.ppc.rpm

987ed3d338fb7c42083cf6dd2057ce0b

ftp://ftp.suse.com/pub/suse/ppc/update/6.4/d2/libd-2.1.3-154.ppc.rpm

a212f188cf31d55c2016236d2c313cf4
source rpm:

ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/libc-2.1.3-154.src.rpm

401b4f2f306a065fb04edd89cd153364


2) Pending vulnerabilities in SuSE Distributions and
Workarounds:

This section addresses currently known vulnerabilities in
Linux/Unix systems that have not been resolved yet as of the
release date of this advisory.

     - screen

        local root compromise. Update+advisory follows this advisory.

     - zope

        SuSE distributions before 7.0 do not contain zope as a package.
        An updated package for the freshly released SuSE-7.0 is on the way.

     - xchat

        A fix for the URL handler vulnerabilty is in progress and will
        be released within a few days. There is currently no effective
        and easy workaround other than removing the package by hand
        (`rpm -e xchat'). More information on xchat can be found in
        xchat's documentation directory /usr/doc/packages/xchat or
        /usr/share/doc/packages/xchat for SuSE-7.0.

3) standard appendix:

SuSE runs two security mailing lists to which any interested
party may subscribe:

[email protected]
– general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list. To
subscribe, send an email to [email protected].

[email protected]

– SuSE’s announce-only mailing list.
Only SuSE’s security annoucements are sent to this list. To
subscribe, send an email to [email protected].

For general information or the frequently asked questions (faq)
send mail to:
[email protected]
or
[email protected]
respectively.


SuSE’s security contact is [email protected].


Regards,
Roman Drahtmüller.
– – —

 -                                                                      -
| Roman Drahtmüller        [email protected] //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -