mailing list archives
Re: Serious vulnerability in glibc (fwd)
From: Solar Designer <solar () FALSE COM>
Date: Sat, 2 Sep 2000 22:44:00 +0400
There're three known locale-related bugs which are (should be) fixed
in the updated glibc packages.
Some quotes from my report to the vendor-sec list, which was made
before I became aware of this third locale-related bug (and fix):
| glibc versions prior to 2000/08/21 contain two vulnerabilities in
| their locale support code:
[ And the third vulnerability, found and reported by Jouko PynnЖnen,
was fixed on 2000/08/27. ]
| 1. A check in locale/findlocale.c intended to not allow the use of
| user-supplied locales for SUID/SGID applications is both misplaced
| and incorrect. It appears that this bug has been present since glibc
| 2.1, with older versions being vulnerable in a different way (there
| was no check at all).
| 2. A similar check was needed in catgets/catgets.c as well, but it
| was missing. Both glibc 2.0 and 2.1 are affected.
| I would like to thank Ulrich Drepper for confirming my findings and
| developing the fix within days.
| The bugs can be exploited via a number of SUID/SGID programs, such as
| some of those found in the util-linux package. See my security-audit
| post from July for a list of util-linux programs that don't clean the
| relevant env vars, use locale with printf-style format strings, and
| are installed SUID or SGID:
| Please note that this is by no means limited to programs found in the
| util-linux package.
| It is very likely that a local root exploit is possible.
| Other, far less important fixes applied since 2.1.3, include:
| 1. The now well-known dl unsetenv bug.
| 2. MD5 alignment issues which may cause crypt(3) to crash with SIGBUS
| or cause kernel emulation of unaligned accesses (slow and annoying)
| with unusually long passwords (not necessarily valid), on platforms
| with strict alignment requirements (which means most platforms, but
| not x86).
| 3. The MD5-based crypt(3) used to leave sensitive data in the address
| space, other than its output buffer (which the application can clear,
| at least in theory). (I am listing this as a bug since there was an
| attempt to ensure that sensitive data isn't left.)
| These are really of little importance, but may be worth including if
| an updated package is prepared anyway.
| All of these fixes are available in the CVS, or you can get them here:
[ I've updated this archive to include the 2000/08/27 fix as well. ]
| The patches may be applied directly to glibc 2.1.3 like this (for an
| RPM package):
| %patch22 -p1
| %patch23 -p1
| cd md5-crypt
| %patch24 -p2
- Re: Serious vulnerability in glibc (fwd) Solar Designer (Sep 04)