[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

On Thu, 21 Oct 2010 19:36:04 +0200, Aurelien Jarno wrote:
> On Mon, Oct 18, 2010 at 06:58:45PM -0400, Michael Gilbert wrote:
> > package: eglibc
> > version: 2.11.2-6
> > severity: grave
> > tag: patch
> > 
> > an issue has been disclosed in eglibc.  see:
> > http://seclists.org/fulldisclosure/2010/Oct/257
> > 
> > patch available:
> > http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html
> > 
> 
> I have just committed the fix, I am planning to do an upload soon to
> unstable. Do you think we should also fix it in stable? via a security
> release?

the exploitability of this issue is questionable, but i think it should
be fixed in a DSA just to be safe (based on the precautionary
principle).

thanks for working on the fix.

mike
Reply to: