[11560] in bugtraq
Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock
daemon@ATHENA.MIT.EDU (Andreas Jaeger)
Sat Aug 28 16:19:42 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <u8vha42y37.fsf@arthur.rhein-neckar.de>
Date: Wed, 25 Aug 1999 08:06:36 +0200
Reply-To: Andreas Jaeger <aj@ARTHUR.RHEIN-NECKAR.DE>
From: Andreas Jaeger <aj@ARTHUR.RHEIN-NECKAR.DE>
X-To: Michal Zalewski <lcamtuf@ids.pl>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Michal Zalewski's message of "Sun, 4 Jul 1999 13:38:48 +0200"
>>>>> Michal Zalewski writes:
> First of all, something less or more personal - sorry to all secure@...pl
> people for this post. I'm really angry, as this stuff become well-known
> without my knowledge... so, only a few of my own observations, always
> trying to respect other's intellectual property.
> All the best goes to el- :P
> ----------------------------------------------
> glibc 2.1.x and Linux without devpts mechanism
> ----------------------------------------------
Please report glibc problems to the glibc developers first!
/usr/libexec/pt_chown --help outputs:
[...]
Report bugs using the `glibcbug' script to <bugs@gnu.org>.
I didn't see any report on this on any glibc list! :-(
I'm forwarding this now.
> ------------------------------
> glibc 2.0.x and LC_ALL, noexec
> ------------------------------
> Compromise: locally, doing thins you shouldn't be able to do ;)
> First of all - doing /lib/ld-linux.so.2 /program/on/noexec/partition is
> the simpliest way to bypass noexec option, if only you have glibc 2.0.x.
> Nothing to say, security by obscurity stinks.
> Clean glibc 2.0.x, as distributed in .tar.gz, are vunerable to rather
> seriuos problem with LC_ALL containing '../' tricks (just like in telnetd
> and TERM case). In fact, in some Linux distributions, it has been silently
> fixed, while people upgrading glibc to eg. 2.0.7 'from scratch' are not
> aware of this problem, and many sites are vunerable. Using prepared
> directory with locale specifications, including glibc error messages used
> eg. by perror(), luser will be able to for example read setuid programs
> memory, etc.
AFAIK those problems are fixed in glibc 2.1.x - if not please tell us.
Andreas
--
Andreas Jaeger aj@arthur.rhein-neckar.de jaeger@informatik.uni-kl.de
for pgp-key finger ajaeger@aixd1.rhrk.uni-kl.de
