Bugtraq mailing list archives
Re: Serious vulnerability in glibc (fwd)
From: Solar Designer <solar () FALSE COM>
Date: Sat, 2 Sep 2000 22:44:00 +0400
Hello, There're three known locale-related bugs which are (should be) fixed in the updated glibc packages. Some quotes from my report to the vendor-sec list, which was made before I became aware of this third locale-related bug (and fix): | glibc versions prior to 2000/08/21 contain two vulnerabilities in | their locale support code: [ And the third vulnerability, found and reported by Jouko PynnĐ–nen, was fixed on 2000/08/27. ] | 1. A check in locale/findlocale.c intended to not allow the use of | user-supplied locales for SUID/SGID applications is both misplaced | and incorrect. It appears that this bug has been present since glibc | 2.1, with older versions being vulnerable in a different way (there | was no check at all). | | 2. A similar check was needed in catgets/catgets.c as well, but it | was missing. Both glibc 2.0 and 2.1 are affected. | | I would like to thank Ulrich Drepper for confirming my findings and | developing the fix within days. | | The bugs can be exploited via a number of SUID/SGID programs, such as | some of those found in the util-linux package. See my security-audit | post from July for a list of util-linux programs that don't clean the | relevant env vars, use locale with printf-style format strings, and | are installed SUID or SGID: | | http://marc.theaimsgroup.com/?l=linux-security-audit&m=96473323710822&w=2 | | Please note that this is by no means limited to programs found in the | util-linux package. | | It is very likely that a local root exploit is possible. | | Other, far less important fixes applied since 2.1.3, include: | | 1. The now well-known dl unsetenv bug. | | 2. MD5 alignment issues which may cause crypt(3) to crash with SIGBUS | or cause kernel emulation of unaligned accesses (slow and annoying) | with unusually long passwords (not necessarily valid), on platforms | with strict alignment requirements (which means most platforms, but | not x86). | | 3. The MD5-based crypt(3) used to leave sensitive data in the address | space, other than its output buffer (which the application can clear, | at least in theory). (I am listing this as a bug since there was an | attempt to ensure that sensitive data isn't left.) | | These are really of little importance, but may be worth including if | an updated package is prepared anyway. | | All of these fixes are available in the CVS, or you can get them here: ftp://ftp.openwall.com/pvt/glibc-cvs-20000827-security-patches.tar.gz [ I've updated this archive to include the 2000/08/27 fix as well. ] | The patches may be applied directly to glibc 2.1.3 like this (for an | RPM package): Patch22: glibc-cvs-20000827-locale.diff Patch23: glibc-cvs-20000824-unsetenv.diff Patch24: glibc-cvs-20000824-md5-align-clean.diff | %prep | [...] | %patch22 -p1 | %patch23 -p1 | cd md5-crypt | %patch24 -p2 Signed, Solar Designer
Current thread:
- Re: Serious vulnerability in glibc (fwd) Solar Designer (Sep 04)
- Re: Serious vulnerability in glibc (fwd) Steve Frampton (Sep 04)