5427632 2000-09-02 21:02 /179 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12531>
Mottagare: Root (@) Nationernas Hus <12260>
Sänt: 2000-09-07 18:37
Mottagare: Red Hat Announce (import) <1574>
Sänt: 2000-09-07 18:40
Ärende: [RHSA-2000:057-02] glibc vulnerabilities in ld.so,
------------------------------------------------------------
locale and gettext
From: bugzilla@REDHAT.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200009011937.PAA11617@lacrosse.corp.redhat.com>
---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: glibc vulnerabilities in ld.so, locale and gettext
Advisory ID: RHSA-2000:057-01
Issue date: 2000-09-01
Updated on: 2000-09-01
Product: Red Hat Linux
Keywords: glibc ld.so locale LANG gettext LD_PRELOAD threads
Cross references: N/A
---------------------------------------------------------------------
1. Topic:
Several bugs were discovered in glibc which could allow local users to
gain root privileges.
2. Relevant releases/architectures:
Red Hat Linux 5.0 - i386, alpha
Red Hat Linux 5.1 - i386, alpha, sparc
Red Hat Linux 5.2 - i386, alpha, sparc
Red Hat Linux 6.0 - i386, alpha, sparc
Red Hat Linux 6.1 - i386, alpha, sparc, sparcv9
Red Hat Linux 6.2 - i386, alpha, sparc, sparcv9
3. Problem description:
The dynamic linker ld.so uses several environment variables like
LD_PRELOAD and LD_LIBRARY_PATH to load additional libraries or modify
the library search path. It is unsafe to accept arbitrary user
specified values of these variables when executing setuid
applications, so ld.so handles them specially in setuid programs and
also removes them from the environment.
One of the discovered bugs causes these variables not to be removed
from the environment under certain circumstances. This does not cause
any threat to setuid application themselves, but it could be
exploited if a setuid application does not either drop privileges or
clean up its environment prior to executing other programs.
A number of additional bugs have been found in glibc locale and
internationalization security checks. In internationalized programs,
users are permitted to select a locale or choose message catalogues
using environment variables such as LANG or LC_*. The content of
these variables is then used as part of pathnames for searching
message catalogues or locale files.
Normally, if these variables contain "/" characters, a program can
load the internationalization files from arbitrary directories. This
is unnacceptable for setuid programs, which is why glibc does not
allow certain settings of these variables if the program is setuid or
setgid. However, some of these checks were done in inappropriate
places, contained bugs or were completely missing. It is highly
probable that some of these bugs can be used for local root exploits.
The Red Hat Linux 6.x updates also fix a linuxthreads deadlock bug and
handling of certain values of the TZ environment variable.
4. Solution:
For each RPM for your particular architecture, run:
rpm -Fvh [filename]
where filename is the name of the RPM.
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
13785 - Bug in pthreads blocks ability to preempt suspend and resume
threads on SMP machines
6. RPMs required:
Red Hat Linux 5.x:
sparc:
ftp://updates.redhat.com/5.2/sparc/glibc-2.0.7-29.2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-debug-2.0.7-29.2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-devel-2.0.7-29.2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-profile-2.0.7-29.2.sparc.rpm
alpha:
ftp://updates.redhat.com/5.2/alpha/glibc-2.0.7-29.2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-debug-2.0.7-29.2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-devel-2.0.7-29.2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-profile-2.0.7-29.2.alpha.rpm
i386:
ftp://updates.redhat.com/5.2/i386/glibc-2.0.7-29.2.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-debug-2.0.7-29.2.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-devel-2.0.7-29.2.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-profile-2.0.7-29.2.i386.rpm
sources:
ftp://updates.redhat.com/5.2/SRPMS/glibc-2.0.7-29.2.src.rpm
Red Hat Linux 6.x:
sparc:
ftp://updates.redhat.com/6.2/sparc/glibc-2.1.3-19.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/glibc-devel-2.1.3-19.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/glibc-profile-2.1.3-19.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/nscd-2.1.3-19.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/glibc-2.1.3-19.i386.rpm
ftp://updates.redhat.com/6.2/i386/glibc-devel-2.1.3-19.i386.rpm
ftp://updates.redhat.com/6.2/i386/glibc-profile-2.1.3-19.i386.rpm
ftp://updates.redhat.com/6.2/i386/nscd-2.1.3-19.i386.rpm
alpha:
ftp://updates.redhat.com/6.2/alpha/glibc-2.1.3-19.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/glibc-devel-2.1.3-19.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/glibc-profile-2.1.3-19.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/nscd-2.1.3-19.alpha.rpm
sparcv9:
ftp://updates.redhat.com/6.2/sparcv9/glibc-2.1.3-19.sparcv9.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/glibc-2.1.3-19.src.rpm
7. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
6ca1331b30257a5a34417d9e3374540a 5.2/SRPMS/glibc-2.0.7-29.2.src.rpm
ef8f379f37e9fde8f67c087db45570c2 5.2/alpha/glibc-2.0.7-29.2.alpha.rpm
0d39f139ea5b23d08b5f3241a23d0731 5.2/alpha/glibc-debug-2.0.7-29.2.alpha.rpm
81e6df8260f301f5934910451fa14786 5.2/alpha/glibc-devel-2.0.7-29.2.alpha.rpm
658f0a9982cad961ab590e6cca5f1b6a 5.2/alpha/glibc-profile-2.0.7-29.2.alpha.rpm
b9963bc927e540815df84d64ba3b94c0 5.2/i386/glibc-2.0.7-29.2.i386.rpm
fc0c7b551073a9bffb65c49dba4800f3 5.2/i386/glibc-debug-2.0.7-29.2.i386.rpm
e0795db373902c9e2ffadc0c32dbbfff 5.2/i386/glibc-devel-2.0.7-29.2.i386.rpm
1b4d3d34588b19374fe6b29c6147bbcc 5.2/i386/glibc-profile-2.0.7-29.2.i386.rpm
dc215c32131cb25628a6be096dd3e539 5.2/sparc/glibc-2.0.7-29.2.sparc.rpm
19b3c1dd1f4f63885343202ae4ddb73c 5.2/sparc/glibc-debug-2.0.7-29.2.sparc.rpm
fb1c1437e8652cf799666198785c6890 5.2/sparc/glibc-devel-2.0.7-29.2.sparc.rpm
bcd19af1741f2704f38e74e89506bb86 5.2/sparc/glibc-profile-2.0.7-29.2.sparc.rpm
ab3e9097d3b105d0011befa30b75592e 6.2/SRPMS/glibc-2.1.3-19.src.rpm
96348fca0030190f920eb3e4769494bc 6.2/alpha/glibc-2.1.3-19.alpha.rpm
aff1e8a826da615c8737d2723618939e 6.2/alpha/glibc-devel-2.1.3-19.alpha.rpm
5a10a0874d44e9cb2a22c65c11d35062 6.2/alpha/glibc-profile-2.1.3-19.alpha.rpm
9136b639e89a8b873055cf259d711576 6.2/alpha/nscd-2.1.3-19.alpha.rpm
cb42ed08fea80af2f292ae2a6e3cc0a1 6.2/i386/glibc-2.1.3-19.i386.rpm
86a4b0d01f6a2b254b109c7a8078c3df 6.2/i386/glibc-devel-2.1.3-19.i386.rpm
2e93114d8487ba44d9a8c2be74e1d160 6.2/i386/glibc-profile-2.1.3-19.i386.rpm
0b9120417f2647a22992c98987218874 6.2/i386/nscd-2.1.3-19.i386.rpm
aa96cbcabf21eefb06df8d1f7da79ed8 6.2/sparc/glibc-2.1.3-19.sparc.rpm
a7cd77d25a30d2bfe884bd2dfd66cf04 6.2/sparc/glibc-devel-2.1.3-19.sparc.rpm
6ba0b5a628b226e0cc9cc2ba8d419f84 6.2/sparc/glibc-profile-2.1.3-19.sparc.rpm
3b93647462f192058c646e841c7a804f 6.2/sparc/nscd-2.1.3-19.sparc.rpm
94e92becb2c06e0e67b2cd39c8b19b14 6.2/sparcv9/glibc-2.1.3-19.sparcv9.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg <filename>
8. References:
http://www.securityfocus.com/templates/archive.pike?threads=0&start=2000-08-27&mid=79537&fromthread=1&list=1&end=2000-09-02&
Copyright(c) 2000 Red Hat, Inc.
(5427632) ------------------------------------------(Ombruten)
Kommentar i text 5449865