5446057 2000-09-08 02:42 /186 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12667> Ärende: [RHSA-2000:057-04] glibc vulnerabilities in ld.so, ------------------------------------------------------------ locale and gettext From: bugzilla@REDHAT.COM To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <200009072037.QAA09120@lacrosse.corp.redhat.com> --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: glibc vulnerabilities in ld.so, locale and gettext Advisory ID: RHSA-2000:057-04 Issue date: 2000-09-01 Updated on: 2000-09-07 Product: Red Hat Linux Keywords: glibc ld.so locale LANG gettext LD_PRELOAD threads Cross references: N/A --------------------------------------------------------------------- 1. Topic: Several bugs were discovered in glibc which could allow local users to gain root privileges. 2. Relevant releases/architectures: Red Hat Linux 5.0 - i386, alpha Red Hat Linux 5.1 - i386, alpha, sparc Red Hat Linux 5.2 - i386, alpha, sparc Red Hat Linux 6.0 - i386, alpha, sparc Red Hat Linux 6.1 - i386, alpha, sparc, sparcv9 Red Hat Linux 6.2 - i386, alpha, sparc, sparcv9 3. Problem description: The dynamic linker ld.so uses several environment variables like LD_PRELOAD and LD_LIBRARY_PATH to load additional libraries or modify the library search path. It is unsafe to accept arbitrary user specified values of these variables when executing setuid applications, so ld.so handles them specially in setuid programs and also removes them from the environment. One of the discovered bugs causes these variables not to be removed from the environment under certain circumstances. This does not cause any threat to setuid application themselves, but it could be exploited if a setuid application does not either drop privileges or clean up its environment prior to executing other programs. A number of additional bugs have been found in glibc locale and internationalization security checks. In internationalized programs, users are permitted to select a locale or choose message catalogues using environment variables such as LANG or LC_*. The content of these variables is then used as part of pathnames for searching message catalogues or locale files. Normally, if these variables contain "/" characters, a program can load the internationalization files from arbitrary directories. This is unnacceptable for setuid programs, which is why glibc does not allow certain settings of these variables if the program is setuid or setgid. However, some of these checks were done in inappropriate places, contained bugs or were completely missing. It is highly probable that some of these bugs can be used for local root exploits. The Red Hat Linux 6.x updates also fix a linuxthreads deadlock bug and handling of certain values of the TZ environment variable. The previous version of the 6.x errata introduced some threading problems visible with JDK and Mozilla, the 5.x errata had a bug which caused several localized programs to die with segmentation fault at startup.Both of these problems are fixed with this errata update. 4. Solution: For each RPM for your particular architecture, run: rpm -Fvh [filename] where filename is the name of the RPM. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 13785 - Bug in pthreads blocks ability to preempt suspend and resume threads on SMP machines 17203 - glibc-2.1.3-19 breaks Sun and IBM Java 1.3 on SMP 17187 - tcsh broken after glibc upgrade 6. RPMs required: Red Hat Linux 5.2: sparc: ftp://updates.redhat.com/5.2/sparc/glibc-2.0.7-29.4.sparc.rpm ftp://updates.redhat.com/5.2/sparc/glibc-debug-2.0.7-29.4.sparc.rpm ftp://updates.redhat.com/5.2/sparc/glibc-devel-2.0.7-29.4.sparc.rpm ftp://updates.redhat.com/5.2/sparc/glibc-profile-2.0.7-29.4.sparc.rpm alpha: ftp://updates.redhat.com/5.2/alpha/glibc-2.0.7-29.4.alpha.rpm ftp://updates.redhat.com/5.2/alpha/glibc-debug-2.0.7-29.4.alpha.rpm ftp://updates.redhat.com/5.2/alpha/glibc-devel-2.0.7-29.4.alpha.rpm ftp://updates.redhat.com/5.2/alpha/glibc-profile-2.0.7-29.4.alpha.rpm i386: ftp://updates.redhat.com/5.2/i386/glibc-2.0.7-29.4.i386.rpm ftp://updates.redhat.com/5.2/i386/glibc-debug-2.0.7-29.4.i386.rpm ftp://updates.redhat.com/5.2/i386/glibc-devel-2.0.7-29.4.i386.rpm ftp://updates.redhat.com/5.2/i386/glibc-profile-2.0.7-29.4.i386.rpm sources: ftp://updates.redhat.com/5.2/SRPMS/glibc-2.0.7-29.4.src.rpm Red Hat Linux 6.2: sparc: ftp://updates.redhat.com/6.2/sparc/glibc-2.1.3-21.sparc.rpm ftp://updates.redhat.com/6.2/sparc/glibc-devel-2.1.3-21.sparc.rpm ftp://updates.redhat.com/6.2/sparc/glibc-profile-2.1.3-21.sparc.rpm ftp://updates.redhat.com/6.2/sparc/nscd-2.1.3-21.sparc.rpm i386: ftp://updates.redhat.com/6.2/i386/glibc-2.1.3-21.i386.rpm ftp://updates.redhat.com/6.2/i386/glibc-devel-2.1.3-21.i386.rpm ftp://updates.redhat.com/6.2/i386/glibc-profile-2.1.3-21.i386.rpm ftp://updates.redhat.com/6.2/i386/nscd-2.1.3-21.i386.rpm alpha: ftp://updates.redhat.com/6.2/alpha/glibc-2.1.3-21.alpha.rpm ftp://updates.redhat.com/6.2/alpha/glibc-devel-2.1.3-21.alpha.rpm ftp://updates.redhat.com/6.2/alpha/glibc-profile-2.1.3-21.alpha.rpm ftp://updates.redhat.com/6.2/alpha/nscd-2.1.3-21.alpha.rpm sparcv9: ftp://updates.redhat.com/6.2/sparcv9/glibc-2.1.3-21.sparcv9.rpm sources: ftp://updates.redhat.com/6.2/SRPMS/glibc-2.1.3-21.src.rpm 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- d89ceb98bcbcf4713d16fdee7ff7f43e 5.2/SRPMS/glibc-2.0.7-29.4.src.rpm 6ef2b922267041c5d255929bfc98fd64 5.2/alpha/glibc-2.0.7-29.4.alpha.rpm 888f00bface573ffd88e221c6b6f8e2e 5.2/alpha/glibc-debug-2.0.7-29.4.alpha.rpm ebc93b3ee1f685d50a94dcdb28c61cc9 5.2/alpha/glibc-devel-2.0.7-29.4.alpha.rpm e41785070075562b0481df36478d2fc8 5.2/alpha/glibc-profile-2.0.7-29.4.alpha.rpm 2f2113f874194aa3ecc618c4d1ec35aa 5.2/i386/glibc-2.0.7-29.4.i386.rpm 078735dd7907a1ed391018f8768f08a5 5.2/i386/glibc-debug-2.0.7-29.4.i386.rpm 752e9f9c3ebd3a91eb4ee399cc679186 5.2/i386/glibc-devel-2.0.7-29.4.i386.rpm 1ebdf4fdb6f479e735cf8d9b0190e467 5.2/i386/glibc-profile-2.0.7-29.4.i386.rpm f26d7fada3d250389144b235bf1f3627 5.2/sparc/glibc-2.0.7-29.4.sparc.rpm 92f25cc1809d1c87981184848ebc2c92 5.2/sparc/glibc-debug-2.0.7-29.4.sparc.rpm bde3f83247f4975f50a552bdfe1cfe92 5.2/sparc/glibc-devel-2.0.7-29.4.sparc.rpm 7d466b8c454556801502a5193aa90919 5.2/sparc/glibc-profile-2.0.7-29.4.sparc.rpm 951f8018ee585cbae936f5aabc93975a 6.2/SRPMS/glibc-2.1.3-21.src.rpm 71fc519a3af0c780f04957d0fd30e3ef 6.2/alpha/glibc-2.1.3-21.alpha.rpm 0958d288b68b69172e05c818dadde1df 6.2/alpha/glibc-devel-2.1.3-21.alpha.rpm c3f263f06115287996cf835bda6d831c 6.2/alpha/glibc-profile-2.1.3-21.alpha.rpm 628f153cf8159b150cdf5812ecf8a7f1 6.2/alpha/nscd-2.1.3-21.alpha.rpm 2197ca4a7bce75b8f71e776198ea6ad6 6.2/i386/glibc-2.1.3-21.i386.rpm b8cfd8011077f35ae63f589c494166f2 6.2/i386/glibc-devel-2.1.3-21.i386.rpm bed9b0d02fae36d490d3025de74b5e0f 6.2/i386/glibc-profile-2.1.3-21.i386.rpm 26b9ce91af840a7928ac52a32b5fe2c7 6.2/i386/nscd-2.1.3-21.i386.rpm e2d13625c1869c983a917f6867bc351b 6.2/sparc/glibc-2.1.3-21.sparc.rpm 44d151c0f2e99dd6ed69274c1b2b106e 6.2/sparc/glibc-devel-2.1.3-21.sparc.rpm bef08ed72e52b149da48421369561100 6.2/sparc/glibc-profile-2.1.3-21.sparc.rpm 8f5ee1e544b50f84f71eb2c38e1ef2fe 6.2/sparc/nscd-2.1.3-21.sparc.rpm 7fd0aefa79a7546cb944752c545c651f 6.2/sparcv9/glibc-2.1.3-21.sparcv9.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg <filename> 8. References: http://www.securityfocus.com/templates/archive.pike?threads=0&start=2000-08-27&mid=79537&fromthread=1&list=1&end=2000-09-02& Copyright(c) 2000 Red Hat, Inc. (5446057) ------------------------------------------(Ombruten) Kommentar i text 5450124 av Brevbäraren (som är implementerad i) Python 5450124 2000-09-08 23:29 /70 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12686> Kommentar till text 5446057 av Brevbäraren (som är implementerad i) Python Ärende: Re: [RHSA-2000:057-04] glibc vulnerabilities in ld.so, ------------------------------------------------------------ locale and gettext From: Jim Knoble <jmknoble@PINT-STOWP.CX> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20000908122854.B12324@ntrnet.net> What about the compatibility glibc libraries under Red Hat Linux 6.x: $ cat /etc/redhat-release Red Hat Linux release 6.2 (Zoot) $ rpm -qa |fgrep compat |fgrep libc compat-glibc-5.2-2.0.7.2 $ Are they vulnerable? Will a fix be released? Do any other distributions have such compatibility libraries? -- jim knoble | jmknoble@jmknoble.cx | http://www.jmknoble.cx/ Circa 2000-Sep-07 16:37:00 -0400 dixit bugzilla@REDHAT.COM: : --------------------------------------------------------------------- : Red Hat, Inc. Security Advisory : : Synopsis: glibc vulnerabilities in ld.so, locale and gettext : Advisory ID: RHSA-2000:057-04 : Issue date: 2000-09-01 : Updated on: 2000-09-07 : Product: Red Hat Linux : Keywords: glibc ld.so locale LANG gettext LD_PRELOAD threads : Cross references: N/A : --------------------------------------------------------------------- : : 1. Topic: : : Several bugs were discovered in glibc which could allow local users to : gain root privileges. : : 2. Relevant releases/architectures: : : Red Hat Linux 5.0 - i386, alpha : Red Hat Linux 5.1 - i386, alpha, sparc : Red Hat Linux 5.2 - i386, alpha, sparc ^^^^^^^^^^^^^^^^^^^ : Red Hat Linux 6.0 - i386, alpha, sparc : Red Hat Linux 6.1 - i386, alpha, sparc, sparcv9 : Red Hat Linux 6.2 - i386, alpha, sparc, sparcv9 [...] : 6. RPMs required: [...] : Red Hat Linux 6.2: [...] : i386: : ftp://updates.redhat.com/6.2/i386/glibc-2.1.3-21.i386.rpm : ftp://updates.redhat.com/6.2/i386/glibc-devel-2.1.3-21.i386.rpm : ftp://updates.redhat.com/6.2/i386/glibc-profile-2.1.3-21.i386.rpm : ftp://updates.redhat.com/6.2/i386/nscd-2.1.3-21.i386.rpm : [Note no compat packages listed...] : sources: : ftp://updates.redhat.com/6.2/SRPMS/glibc-2.1.3-21.src.rpm : : 7. Verification: [....] (5450124) ------------------------------------------ Kommentar i text 5450505 av Brevbäraren (som är implementerad i) Python 5450505 2000-09-09 08:42 /62 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12690> Kommentar till text 5450124 av Brevbäraren (som är implementerad i) Python Ärende: Re: [RHSA-2000:057-04] glibc vulnerabilities in ld.so, ------------------------------------------------------------ locale and gettext From: Roman Drahtmueller <draht@SUSE.DE> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <Pine.LNX.4.21.0009090145340.28586-100000@dent.suse.de> > What about the compatibility glibc libraries under Red Hat Linux 6.x: > > $ cat /etc/redhat-release > Red Hat Linux release 6.2 (Zoot) > $ rpm -qa |fgrep compat |fgrep libc > compat-glibc-5.2-2.0.7.2 > $ > > Are they vulnerable? Will a fix be released? Do any other > distributions have such compatibility libraries? SuSE distributions after (including) Version 6.0 came with libc-5.4.4? for optional backward compatibility if binaries from older Linux distributions need the good old libc5. As of today, libc5 is not known to be affected by the recently discovered locale-related bugs. SuSE distributions come with binaries linked only against _one_ single libc/glibc version. (.1.) *** Compatibility libraries between glibc-2.0 and glibc-2.1 based versions of SuSE are not provided for stability reasons. *** SuSE-5.3 came with a package named `shlibs6' (in series a1) to enable the execution of glibc-2.0-linked programs. This library may be affected by the recently discovered errors, whereas SuSE-5.3 packages do not depend on this library, though, as stated in (.1.). Please remove the package using the command 'rpm -e shlibs6' if you do not need it. There is no update package for shlibs6 in SuSE-5.3, support for shlibs6/SuSE-5.3 has been discontinued for stability reasons. brief overview: SuSE Kernel libc optional (not version version version required) libraries --------------------------------------------------------------------- 5.3 2.0 libc-5.4 (glibc-1) libc-6.0 (glibc-2.0) 6.0 2.0 libc-6.0 (glibc-2.0) libc-5.4 (glibc-1) 6.1 2.2 libc-6.0 (glibc-2.0) libc-5.4 (glibc-1) 6.2 2.2 libc-6.1 (glibc-2.1) libc-5.4 (glibc-1) 6.3 % % % 6.4 % % % 7.0 % % % Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - - (5450505) ------------------------------------------(Ombruten) Kommentar i text 5455403 av Brevbäraren (som är implementerad i) Python 5455403 idag 07:43 /21 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12699> Kommentar till text 5450505 av Brevbäraren (som är implementerad i) Python Ärende: Re: [RHSA-2000:057-04] glibc vulnerabilities in ld.so, ------------------------------------------------------------ locale and gettext From: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20000910173339.1B2.0@bobanek.nowhere.cz> On Sat, 9 Sep 2000, Roman Drahtmueller wrote: > SuSE distributions after (including) Version 6.0 came with libc-5.4.4? for > optional backward compatibility if binaries from older Linux distributions > need the good old libc5. As of today, libc5 is not known to be affected by > the recently discovered locale-related bugs. There were locale related issues in libc 5.4.x. As far as I remember, all (unpatched) versions prior to 5.4.45 were affected. 5.4.45 and 5.4.46 (the final libc5 release) include a paranoid patch that makes them ignore most env. variables in set[ug]id programs (including LC_*, LANG, and NLSPATH). --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." (5455403) ------------------------------------------(Ombruten)