Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path

To: Michael Gilbert <michael.s.gilbert@gmail.com>, 600667@bugs.debian.org
Subject: Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Fri, 22 Oct 2010 10:04:27 +0200
Message-id: <[🔎] 20101022080427.GA8909@hall.aurel32.net>
Reply-to: Aurelien Jarno <aurelien@aurel32.net>, 600667@bugs.debian.org
In-reply-to: <[🔎] 20101021154359.2747ae58.michael.s.gilbert@gmail.com>
References: <[🔎] 20101018185845.cb4f8bfa.michael.s.gilbert@gmail.com> <[🔎] 20101021173604.GI17471@hall.aurel32.net> <[🔎] 20101021154359.2747ae58.michael.s.gilbert@gmail.com>

On Thu, Oct 21, 2010 at 03:43:59PM -0400, Michael Gilbert wrote:
> On Thu, 21 Oct 2010 19:36:04 +0200, Aurelien Jarno wrote:
> > On Mon, Oct 18, 2010 at 06:58:45PM -0400, Michael Gilbert wrote:
> > > package: eglibc
> > > version: 2.11.2-6
> > > severity: grave
> > > tag: patch
> > > 
> > > an issue has been disclosed in eglibc.  see:
> > > http://seclists.org/fulldisclosure/2010/Oct/257
> > > 
> > > patch available:
> > > http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html
> > > 
> > 
> > I have just committed the fix, I am planning to do an upload soon to
> > unstable. Do you think we should also fix it in stable? via a security
> > release?
> 
> the exploitability of this issue is questionable, but i think it should
> be fixed in a DSA just to be safe (based on the precautionary
> principle).
> 
> thanks for working on the fix.
> 

Ok, then I'll work on a stable upload after doing the unstable upload.
Unfortunately I don't have a lot of time to spend on Debian currently.

Also note that given the glibc is not built with -DNDEBUG on Debian, 
it seems it is not vulnerable. At least an assert is triggered when
trying the exploit instead of becoming root.

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net

Reply to:

References:
- Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path
  - From: Aurelien Jarno <aurelien@aurel32.net>
- Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>

Prev by Date: Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path
Next by Date: Processing of glibc_2.7-18lenny6_amd64.changes
Previous by thread: Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path
Next by thread: Bug#600667: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path
Index(es):
- Date
- Thread