Bug#884615: src:glibc: CVE-2017-16997: incorrect RPATH/RUNPATH handling for SUID binaries

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#884615: src:glibc: CVE-2017-16997: incorrect RPATH/RUNPATH handling for SUID binaries
From: Aurelien Jarno <aurel32@debian.org>
Date: Sun, 17 Dec 2017 18:33:05 +0100
Message-id: <[🔎] 151353198508.1840.12419947883737574431.reportbug@ohm.local>
Reply-to: Aurelien Jarno <aurel32@debian.org>, 884615@bugs.debian.org

Package: src:glibc
Version: 2.19-1
Severity: important
Tags: upstream security patch
Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=22625

The following vulnerability was published for glibc:

| CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
| for AT_SECURE or SUID binaries could be used to load libraries from the
| current directory.

See https://sourceware.org/bugzilla/show_bug.cgi?id=22625 for more details.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Reply to:

Follow-Ups:
- Bug#884615: marked as done (src:glibc: CVE-2017-16997: incorrect RPATH/RUNPATH handling for SUID binaries)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: [glibc] branch glibc-2.26 updated (807ce52 -> 1c67795)
Next by Date: [glibc] 01/01: releasing package glibc version 2.26-0experimental2
Previous by thread: [glibc] 01/01: debian/patches/locale/fix-LC_COLLATE-rules.diff: drop, not useful anymore and has side effects.
Next by thread: Bug#884615: marked as done (src:glibc: CVE-2017-16997: incorrect RPATH/RUNPATH handling for SUID binaries)
Index(es):
- Date
- Thread