Date: 17 January 2001
References: ESB-2001.023
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.022 -- RHSA-2001:001-05
glibc file read or write access local vulnerability
17 January 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: glibc
Vendor: Red Hat
Operating System: Red Hat Linux
Linux
Impact: Create Arbitrary Files
Access Required: Local
- --------------------------BEGIN INCLUDED TEXT--------------------
- ---------------------------------------------------------------------
Red Hat, Inc. Red Hat Security Advisory
Synopsis: glibc file read or write access local vulnerability
Advisory ID: RHSA-2001:001-05
Issue date: 2001-01-11
Updated on: 2001-01-11
Product: Red Hat Linux
Keywords: glibc RESOLV_HOST_CONF LD_PRELOAD
Cross references:
Obsoletes:
- ---------------------------------------------------------------------
1. Topic:
A couple of bugs in GNU C library 2.2 allow unpriviledged user to read
restricted files and preload libraries in /lib and /usr/lib directories
into SUID programs even if those libraries have not been marked as such
by system administrator.
2. Relevant releases/architectures:
Red Hat Linux 7.0 - alpha, alphaev6, i386, i686
3. Problem description:
Because of a typo in glibc source RESOLV_HOST_CONF and RES_OPTIONS
variables were not removed from environment for SUID/SGID programs.
LD_PRELOAD variable is honoured normally even for SUID/SGID applications
(but removed afterwards from environment) if it does not contain `/'
characters, but there is a special check which only preloads found
libraries if they have the SUID bit set. If a library has been found
in /etc/ld.so.cache this check was not done though, so malicious user
could preload some /lib or /usr/lib library before SUID/SGID application
and e.g. create or overwrite a file he did not have permissions to.
In addition to fixing these security bugs, some non-security related bugs
have been fixed as well, namely RPC behaviour on unconnected UDP sockets
with 2.4 kernels, alphaev6 memcpy bug causing random crashes on alphaev6.
In addition, this glibc provides a temporary workaround for a bug in
IBM JDK 1.1.8.
4. Solution:
Pick packages for your architecture and run:
rpm -Uvh glibc-[2c]*
rpm -Fvh glibc-[dp]* nscd-*
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
18332 - internet programs leave too many connections open
23562 - RESOLV_HOST_CONF can be used to read privileged files
23176 - "forgot to set AF_INET in udp sendmsg" caused by pmap_clnt.c bug
22932 - oracle 8.1.6 installer crashes with glibc-2.2-9.i686.rpm
23012 - RH7 update to glibc 2.2 breaks IBM Java 1.1.8 JDK
22913 - gcc -traditional error on stdio.h
22908 - <sys/cdefs.h> in glibc-devel-2.2-9 cpp warning
22494 - glibc-2.2-9
6. RPMs required:
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/SRPMS/glibc-2.2-12.src.rpm
alpha:
ftp://updates.redhat.com/7.0/alpha/glibc-2.2-12.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/glibc-2.2-12.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/glibc-common-2.2-12.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/glibc-devel-2.2-12.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/glibc-profile-2.2-12.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/nscd-2.2-12.alpha.rpm
alphaev6:
ftp://updates.redhat.com/7.0/alphaev6/glibc-2.2-12.alphaev6.rpm
i386:
ftp://updates.redhat.com/7.0/i386/glibc-2.2-12.i386.rpm
ftp://updates.redhat.com/7.0/i386/glibc-common-2.2-12.i386.rpm
ftp://updates.redhat.com/7.0/i386/glibc-devel-2.2-12.i386.rpm
ftp://updates.redhat.com/7.0/i386/glibc-profile-2.2-12.i386.rpm
ftp://updates.redhat.com/7.0/i386/nscd-2.2-12.i386.rpm
i686:
ftp://updates.redhat.com/7.0/i686/glibc-2.2-12.i686.rpm
7. Verification:
MD5 sum Package Name
- --------------------------------------------------------------------------
506da6896f83e3732593bce0debee447 7.0/SRPMS/glibc-2.2-12.src.rpm
8866d4ce4920f300bc8cbba8f0b3a2b1 7.0/i686/glibc-2.2-12.i686.rpm
d56ba6b8f82c92b9a872e7ee94c706a9 7.0/i386/nscd-2.2-12.i386.rpm
9891a9d1967be619ca74a1de5d0b1f63 7.0/i386/glibc-profile-2.2-12.i386.rpm
0d0bc7d1cd31c548e474146a7cdfea51 7.0/i386/glibc-devel-2.2-12.i386.rpm
b1218c0c2b6f5bd1e161c3158d0418a5 7.0/i386/glibc-common-2.2-12.i386.rpm
91b935bfb0d5fb43394d8557fe754bb4 7.0/i386/glibc-2.2-12.i386.rpm
0cc49503ab78251a7dc02dd70bf20d12 7.0/alphaev6/glibc-2.2-12.alphaev6.rpm
8cf8b2b5c90767e13d1e6a1a210fbdee 7.0/alpha/nscd-2.2-12.alpha.rpm
2aacc6a21da21fdf6a2d3adb8e13074f 7.0/alpha/glibc-profile-2.2-12.alpha.rpm
8b5cf54c20038f7acc08194702225fff 7.0/alpha/glibc-devel-2.2-12.alpha.rpm
b5ed7c074ef027b7e4df68b119aa21dc 7.0/alpha/glibc-common-2.2-12.alpha.rpm
c62b091dfacc14bcd7b1a19c2b22f34d 7.0/alpha/glibc-2.2-12.alpha.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg <filename>
8. References:
http://www.securityfocus.com/bid/2181
Copyright(c) 2000 Red Hat, Inc.
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOm/y1Sh9+71yA2DNAQHC3gP+N2iSNbgKjQy+GLAVRlgbr3XQgyF/Cjze
LZWU9EhRa4K79GaGoIzsxaqGqjVIDJP/IobKqgTDCE0WgsplQ4E/zuD/9ojBo3eb
hI5Jip6iB5CpXokactpqOgDGp7Gun+DHJLPx6JyX953zgJG5mZ9Hrik+PRdoz6Gv
WKk0W/UHo9w=
=CmRB
-----END PGP SIGNATURE-----
|