medium
6.9
CWE
NVD-CWE-Other
Advisory Published
CVE Published
Updated

CVE-2011-0536

First published: Fri Jan 07 2011(Updated: )

Following patch was applied to glibc packages to address dynamic linker privilege escalation issue <a href="https://access.redhat.com/security/cve/CVE-2010-3847">CVE-2010-3847</a> (see <a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - CVE-2010-3847 glibc: ld.so insecure handling of $ORIGIN in LD_AUDIT for setuid/setgid programs" href="show_bug.cgi?id=643306">bug #643306</a>): <a href="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3847#c26">https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3847#c26</a> <a href="http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=4b646a51f13fd6816c483fb24c308a13264c6d1a">http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=4b646a51f13fd6816c483fb24c308a13264c6d1a</a> This change introduced a regression in handling of privileged programs that use $ORIGIN in R*PATH in the binary itself, or any of the depending libraries. When running such privileged program, this issue causes dynamic linker to not expand $ORIGIN in R*PATH and search for additional dynamic objects starting from the current working directory. This could allow a local user to escalate their privileges, or cause the program to fail to find required libraries. Prior to the <a href="https://access.redhat.com/security/cve/CVE-2010-3847">CVE-2010-3847</a>, it was possible to escalate privileges when privileged program had $ORIGIN in R*PATH. An attacker needed to have a write access to the file system hosting such binary, to be able to hard-link it to an attacker-controlled directory. Then the attacker could LD_PRELOAD malicious library from the same directory and execute code with elevated privileges. This flaw was of limited risk, as setuid/setgid binaries with $ORIGIN in R*PATH seem to be rare (there's no such binary in Red Hat Enterprise Linux). With the 4b646a51 fix applied, attacker no longer needs write access to the file system with privileged program, and the relative-to-CWD search can be triggered by R*PATHs of depending libraries too. Even with these loosened requirements, there are currently no privileged programs shipped with Red Hat Enterprise Linux known to be exploitable using this flaw. To address this issue, 4b646a51 was reverted and the following patch was applied in fedora glibc git branch: <a href="http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391ad8823ba58405325d78cefeae5cdf699">http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391ad8823ba58405325d78cefeae5cdf699</a> Following patch is also required to avoid regressing <a href="https://access.redhat.com/security/cve/CVE-2010-3847">CVE-2010-3847</a> fix: <a href="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3847#c22">https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3847#c22</a> <a href="http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=22cd1c9bcf57c5829d65b6da825f7a459d40c9eb">http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=22cd1c9bcf57c5829d65b6da825f7a459d40c9eb</a>

Credit: secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
GNU C Library=2.5-49.el5_5.6
GNU C Library=2.12-1.7.el6_0.3
Red Hat Enterprise Linux

Remedy

http://openwall.com/lists/oss-security/2011/02/01/3

Remedy

http://openwall.com/lists/oss-security/2011/02/03/2

Remedy

https://bugzilla.redhat.com/show_bug.cgi?id=667974

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2011-0536?

    CVE-2011-0536 is considered a moderate severity vulnerability due to its potential for privilege escalation.

  • How do I fix CVE-2011-0536?

    To fix CVE-2011-0536, update to the patched versions of the glibc packages as recommended by your operating system vendor.

  • Which versions of glibc are affected by CVE-2011-0536?

    CVE-2011-0536 affects glibc versions 2.5-49.el5_5.6 and 2.12-1.7.el6_0.3 on Red Hat Enterprise Linux.

  • What type of vulnerability is CVE-2011-0536?

    CVE-2011-0536 is a privilege escalation vulnerability found in the dynamic linker of the glibc library.

  • What operating systems are impacted by CVE-2011-0536?

    CVE-2011-0536 impacts Red Hat Enterprise Linux systems utilizing the vulnerable versions of the glibc library.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203