[16534] in bugtraq
Re: Serious vulnerability in glibc (fwd)
daemon@ATHENA.MIT.EDU (Solar Designer)
Mon Sep 4 16:16:17 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=KOI8-R
Content-Transfer-Encoding: 8bit
Message-ID: <200009021844.WAA23455@false.com>
Date: Sat, 2 Sep 2000 22:44:00 +0400
Reply-To: Solar Designer <solar@FALSE.COM>
From: Solar Designer <solar@FALSE.COM>
X-To: =?latin1?Q?Jouko_Pynn=F6nen?= <jouko@solutions.fi>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10009022026540.2855-100000@shell.solutions.fi>
from "[Jouko Pynn_nen]" at "Sep 2, 0 08:30:53 pm"
Hello,
There're three known locale-related bugs which are (should be) fixed
in the updated glibc packages.
Some quotes from my report to the vendor-sec list, which was made
before I became aware of this third locale-related bug (and fix):
| glibc versions prior to 2000/08/21 contain two vulnerabilities in
| their locale support code:
[ And the third vulnerability, found and reported by Jouko Pynnönen,
was fixed on 2000/08/27. ]
| 1. A check in locale/findlocale.c intended to not allow the use of
| user-supplied locales for SUID/SGID applications is both misplaced
| and incorrect. It appears that this bug has been present since glibc
| 2.1, with older versions being vulnerable in a different way (there
| was no check at all).
|
| 2. A similar check was needed in catgets/catgets.c as well, but it
| was missing. Both glibc 2.0 and 2.1 are affected.
|
| I would like to thank Ulrich Drepper for confirming my findings and
| developing the fix within days.
|
| The bugs can be exploited via a number of SUID/SGID programs, such as
| some of those found in the util-linux package. See my security-audit
| post from July for a list of util-linux programs that don't clean the
| relevant env vars, use locale with printf-style format strings, and
| are installed SUID or SGID:
|
| http://marc.theaimsgroup.com/?l=linux-security-audit&m=96473323710822&w=2
|
| Please note that this is by no means limited to programs found in the
| util-linux package.
|
| It is very likely that a local root exploit is possible.
|
| Other, far less important fixes applied since 2.1.3, include:
|
| 1. The now well-known dl unsetenv bug.
|
| 2. MD5 alignment issues which may cause crypt(3) to crash with SIGBUS
| or cause kernel emulation of unaligned accesses (slow and annoying)
| with unusually long passwords (not necessarily valid), on platforms
| with strict alignment requirements (which means most platforms, but
| not x86).
|
| 3. The MD5-based crypt(3) used to leave sensitive data in the address
| space, other than its output buffer (which the application can clear,
| at least in theory). (I am listing this as a bug since there was an
| attempt to ensure that sensitive data isn't left.)
|
| These are really of little importance, but may be worth including if
| an updated package is prepared anyway.
|
| All of these fixes are available in the CVS, or you can get them here:
ftp://ftp.openwall.com/pvt/glibc-cvs-20000827-security-patches.tar.gz
[ I've updated this archive to include the 2000/08/27 fix as well. ]
| The patches may be applied directly to glibc 2.1.3 like this (for an
| RPM package):
Patch22: glibc-cvs-20000827-locale.diff
Patch23: glibc-cvs-20000824-unsetenv.diff
Patch24: glibc-cvs-20000824-md5-align-clean.diff
| %prep
| [...]
| %patch22 -p1
| %patch23 -p1
| cd md5-crypt
| %patch24 -p2
Signed,
Solar Designer
