CVE-2011-0536
First published: Fri Jan 07 2011(Updated: )
Following patch was applied to glibc packages to address dynamic linker privilege escalation issue <a href="https://access.redhat.com/security/cve/CVE-2010-3847">CVE-2010-3847</a> (see <a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - CVE-2010-3847 glibc: ld.so insecure handling of $ORIGIN in LD_AUDIT for setuid/setgid programs" href="show_bug.cgi?id=643306">bug #643306</a>): <a href="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3847#c26">https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3847#c26</a> <a href="http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=4b646a51f13fd6816c483fb24c308a13264c6d1a">http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=4b646a51f13fd6816c483fb24c308a13264c6d1a</a> This change introduced a regression in handling of privileged programs that use $ORIGIN in R*PATH in the binary itself, or any of the depending libraries. When running such privileged program, this issue causes dynamic linker to not expand $ORIGIN in R*PATH and search for additional dynamic objects starting from the current working directory. This could allow a local user to escalate their privileges, or cause the program to fail to find required libraries. Prior to the <a href="https://access.redhat.com/security/cve/CVE-2010-3847">CVE-2010-3847</a>, it was possible to escalate privileges when privileged program had $ORIGIN in R*PATH. An attacker needed to have a write access to the file system hosting such binary, to be able to hard-link it to an attacker-controlled directory. Then the attacker could LD_PRELOAD malicious library from the same directory and execute code with elevated privileges. This flaw was of limited risk, as setuid/setgid binaries with $ORIGIN in R*PATH seem to be rare (there's no such binary in Red Hat Enterprise Linux). With the 4b646a51 fix applied, attacker no longer needs write access to the file system with privileged program, and the relative-to-CWD search can be triggered by R*PATHs of depending libraries too. Even with these loosened requirements, there are currently no privileged programs shipped with Red Hat Enterprise Linux known to be exploitable using this flaw. To address this issue, 4b646a51 was reverted and the following patch was applied in fedora glibc git branch: <a href="http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391ad8823ba58405325d78cefeae5cdf699">http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391ad8823ba58405325d78cefeae5cdf699</a> Following patch is also required to avoid regressing <a href="https://access.redhat.com/security/cve/CVE-2010-3847">CVE-2010-3847</a> fix: <a href="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3847#c22">https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3847#c22</a> <a href="http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=22cd1c9bcf57c5829d65b6da825f7a459d40c9eb">http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=22cd1c9bcf57c5829d65b6da825f7a459d40c9eb</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GNU glibc | =2.5-49.el5_5.6 | |
| GNU glibc | =2.12-1.7.el6_0.3 | |
| Redhat Enterprise Linux |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://launchpad.net/bugs/701783
- http://secunia.com/advisories/43989
- http://openwall.com/lists/oss-security/2011/02/01/3
- http://openwall.com/lists/oss-security/2011/02/03/2
- http://lists.debian.org/debian-security-announce/2011/msg00005.html
- https://bugzilla.redhat.com/show_bug.cgi?id=667974
- http://www.vupen.com/english/advisories/2011/0863
- http://www.redhat.com/support/errata/RHSA-2011-0413.html
- http://www.ubuntu.com/usn/USN-1009-2
- http://securitytracker.com/id?1025289
- http://www.redhat.com/support/errata/RHSA-2011-0412.html
- http://secunia.com/advisories/43830
- http://secunia.com/advisories/46397
- http://www.vmware.com/security/advisories/VMSA-2011-0012.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:178
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13086
- http://www.securityfocus.com/archive/1/520102/100/0/threaded
- http://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=96611391ad8823ba58405325d78cefeae5cdf699
- https://access.redhat.com/security/cve/CVE-2010-3847
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=643306
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3847#c26
- http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=4b646a51f13fd6816c483fb24c308a13264c6d1a
- http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391ad8823ba58405325d78cefeae5cdf699
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3847#c22
- http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=22cd1c9bcf57c5829d65b6da825f7a459d40c9eb
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=667974#c0
- http://sourceware.org/ml/libc-hacker/2010-12/msg00001.html
- https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-January/001226.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=667974#c8
- http://sourceware.org/bugzilla/show_bug.cgi?id=12393
- https://rhn.redhat.com/errata/RHSA-2011-0412.html
- https://rhn.redhat.com/errata/RHSA-2011-0413.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=667974#c12
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=667974#c15
- collector/nvd-historical
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/weakness
- agent/severity
- agent/author
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-0536
- vendor/gnu
- canonical/gnu glibc
- version/gnu glibc/2.5-49.el5_5.6
- version/gnu glibc/2.12-1.7.el6_0.3
- vendor/redhat
- canonical/redhat enterprise linux