[18534] in bugtraq
Re: Glibc Local Root Exploit
daemon@ATHENA.MIT.EDU (Ben Collins)
Wed Jan 10 16:46:55 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010110142222.E437@visi.net>
Date: Wed, 10 Jan 2001 14:22:22 -0500
Reply-To: Ben Collins <bcollins@DEBIAN.ORG>
From: Ben Collins <bcollins@DEBIAN.ORG>
X-To: Charles Stevenson <csteven@NEWHOPE.TERRAPLEX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <B6815818.E3F%csteven@newhope.terraplex.com>; from
csteven@NEWHOPE.TERRAPLEX.COM on Wed, Jan 10,
2001 at 12:06:48AM -0700
On Wed, Jan 10, 2001 at 12:06:48AM -0700, Charles Stevenson wrote:
> Hi all,
> This has been bouncing around on vuln-dev and the debian-devel lists. It
> effects glibc >= 2.1.9x and it would seem many if not all OSes using these
> versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
> the actual fix was a missing comma in the list of secure env vars that were
> supposed to be cleared when a program starts up suid/sgid (including
> RESOLV_HOST_CONF)." The exploit varies from system to system but in our
> devel version of Yellow Dog Linux I was able to print the /etc/shadow file
> as a normal user in the following manner:
>
> export RESOLV_HOST_CONF=/etc/shadow
> ssh whatever.host.com
>
> Other programs have the same effect depending on the defaults for the
> system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
> (prerelease), and Debian Woody. Others have reported similar results on
> slackware and even "home brew[ed]" GNU/Linux.
Just a note. The latest *released* Debian (2.2, aka potato) is not
vulnerable to this problem, since it uses glibc 2.1.3. Our unreleased
testing and devel (aka woody and sid) dists are vulnerably, atleast
today. The fixed packages are being uploaded, and should be on mirrors
within 24-48 hours.
Don't expect a security announcement from this on Debian, since we only
do that for released distributions, which woody and sid are not.
Also, to give credit where credit is due, Jakub Jelinek actually
produced the patch that fixes this particular problem. I was merely
stating what I knew (in the quote above).
--
-----------=======-=-======-=========-----------=====------------=-=------
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com '
`---=========------=======-------------=-=-----=-===-======-------=--=---'
