Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Serious vulnerability in glibc (fwd)
From: Solar Designer <solar () FALSE COM>
Date: Sat, 2 Sep 2000 22:44:00 +0400


There're three known locale-related bugs which are (should be) fixed
in the updated glibc packages.

Some quotes from my report to the vendor-sec list, which was made
before I became aware of this third locale-related bug (and fix):

| glibc versions prior to 2000/08/21 contain two vulnerabilities in
| their locale support code:

[ And the third vulnerability, found and reported by Jouko PynnĐ–nen,
was fixed on 2000/08/27. ]

| 1. A check in locale/findlocale.c intended to not allow the use of
| user-supplied locales for SUID/SGID applications is both misplaced
| and incorrect.  It appears that this bug has been present since glibc
| 2.1, with older versions being vulnerable in a different way (there
| was no check at all).
| 2. A similar check was needed in catgets/catgets.c as well, but it
| was missing.  Both glibc 2.0 and 2.1 are affected.
| I would like to thank Ulrich Drepper for confirming my findings and
| developing the fix within days.
| The bugs can be exploited via a number of SUID/SGID programs, such as
| some of those found in the util-linux package.  See my security-audit
| post from July for a list of util-linux programs that don't clean the
| relevant env vars, use locale with printf-style format strings, and
| are installed SUID or SGID:
| http://marc.theaimsgroup.com/?l=linux-security-audit&m=96473323710822&w=2
| Please note that this is by no means limited to programs found in the
| util-linux package.
| It is very likely that a local root exploit is possible.
| Other, far less important fixes applied since 2.1.3, include:
| 1. The now well-known dl unsetenv bug.
| 2. MD5 alignment issues which may cause crypt(3) to crash with SIGBUS
| or cause kernel emulation of unaligned accesses (slow and annoying)
| with unusually long passwords (not necessarily valid), on platforms
| with strict alignment requirements (which means most platforms, but
| not x86).
| 3. The MD5-based crypt(3) used to leave sensitive data in the address
| space, other than its output buffer (which the application can clear,
| at least in theory).  (I am listing this as a bug since there was an
| attempt to ensure that sensitive data isn't left.)
| These are really of little importance, but may be worth including if
| an updated package is prepared anyway.
| All of these fixes are available in the CVS, or you can get them here:


[ I've updated this archive to include the 2000/08/27 fix as well. ]

| The patches may be applied directly to glibc 2.1.3 like this (for an
| RPM package):

Patch22: glibc-cvs-20000827-locale.diff
Patch23: glibc-cvs-20000824-unsetenv.diff
Patch24: glibc-cvs-20000824-md5-align-clean.diff

| %prep
| [...]
| %patch22 -p1
| %patch23 -p1
| cd md5-crypt
| %patch24 -p2

Solar Designer

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]