Re: Serious vulnerability in glibc (fwd)

[Solar Designer <solar () FALSE COM>]

Hello,

There're three known locale-related bugs which are (should be) fixed
in the updated glibc packages.

Some quotes from my report to the vendor-sec list, which was made
before I became aware of this third locale-related bug (and fix):

| glibc versions prior to 2000/08/21 contain two vulnerabilities in
| their locale support code:

[ And the third vulnerability, found and reported by Jouko PynnЖnen,
was fixed on 2000/08/27. ]

| 1. A check in locale/findlocale.c intended to not allow the use of
| user-supplied locales for SUID/SGID applications is both misplaced
| and incorrect.  It appears that this bug has been present since glibc
| 2.1, with older versions being vulnerable in a different way (there
| was no check at all).
|
| 2. A similar check was needed in catgets/catgets.c as well, but it
| was missing.  Both glibc 2.0 and 2.1 are affected.
|
| I would like to thank Ulrich Drepper for confirming my findings and
| developing the fix within days.
|
| The bugs can be exploited via a number of SUID/SGID programs, such as
| some of those found in the util-linux package.  See my security-audit
| post from July for a list of util-linux programs that don't clean the
| relevant env vars, use locale with printf-style format strings, and
| are installed SUID or SGID:
|
| http://marc.theaimsgroup.com/?l=linux-security-audit&m=96473323710822&w=2
|
| Please note that this is by no means limited to programs found in the
| util-linux package.
|
| It is very likely that a local root exploit is possible.
|
| Other, far less important fixes applied since 2.1.3, include:
|
| 1. The now well-known dl unsetenv bug.
|
| 2. MD5 alignment issues which may cause crypt(3) to crash with SIGBUS
| or cause kernel emulation of unaligned accesses (slow and annoying)
| with unusually long passwords (not necessarily valid), on platforms
| with strict alignment requirements (which means most platforms, but
| not x86).
|
| 3. The MD5-based crypt(3) used to leave sensitive data in the address
| space, other than its output buffer (which the application can clear,
| at least in theory).  (I am listing this as a bug since there was an
| attempt to ensure that sensitive data isn't left.)
|
| These are really of little importance, but may be worth including if
| an updated package is prepared anyway.
|
| All of these fixes are available in the CVS, or you can get them here:

ftp://ftp.openwall.com/pvt/glibc-cvs-20000827-security-patches.tar.gz

[ I've updated this archive to include the 2000/08/27 fix as well. ]

| The patches may be applied directly to glibc 2.1.3 like this (for an
| RPM package):

Patch22: glibc-cvs-20000827-locale.diff
Patch23: glibc-cvs-20000824-unsetenv.diff
Patch24: glibc-cvs-20000824-md5-align-clean.diff

| %prep
| [...]
| %patch22 -p1
| %patch23 -p1
| cd md5-crypt
| %patch24 -p2

Signed,
Solar Designer