[18619] in bugtraq
Re: Glibc Local Root Exploit
daemon@ATHENA.MIT.EDU (Florian Weimer)
Mon Jan 15 13:36:46 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <tglmsglmva.fsf@mercury.rus.uni-stuttgart.de>
Date: Fri, 12 Jan 2001 18:08:09 +0100
Reply-To: Florian Weimer <Florian.Weimer@RUS.UNI-STUTTGART.DE>
From: Florian Weimer <Florian.Weimer@RUS.UNI-STUTTGART.DE>
X-To: Simon Cozens <simon@COZENS.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010111020406.A9633@pembro26.pmb.ox.ac.uk>
Simon Cozens <simon@COZENS.NET> writes:
> And a patch. Yeah, it's pretty obvious, but nobody's produced it yet.
Your patch doesn't include the HOSTALIASES fix (which is
security-related as well):
Index: sysdeps/generic/unsecvars.h
===================================================================
RCS file: /cvs/glibc/libc/sysdeps/generic/unsecvars.h,v
retrieving revision 1.1
retrieving revision 1.3
diff -u -d -b -r1.1 -r1.3
--- unsecvars.h 2000/09/26 09:31:25 1.1
+++ unsecvars.h 2001/01/08 17:54:58 1.3
@@ -1,11 +1,12 @@
/* Environment variable to be removed for SUID programs. */
#define UNSECURE_ENVVARS \
"GCONV_PATH", \
+ "HOSTALIASES", \
"LOCALDOMAIN", \
"LOCPATH", \
"MALLOC_TRACE", \
"NLSPATH", \
- "RESOLV_HOST_CONF" \
+ "RESOLV_HOST_CONF", \
"RES_OPTIONS", \
"TMPDIR", \
"TZDIR"
Index: resolv/res_query.c
===================================================================
RCS file: /cvs/glibc/libc/resolv/res_query.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -d -b -r1.15 -r1.16
--- res_query.c 2000/07/19 21:59:47 1.15
+++ res_query.c 2001/01/08 17:55:24 1.16
@@ -371,7 +371,7 @@
if (statp->options & RES_NOALIASES)
return (NULL);
- file = __secure_getenv("HOSTALIASES");
+ file = getenv("HOSTALIASES");
if (file == NULL || (fp = fopen(file, "r")) == NULL)
return (NULL);
setbuf(fp, NULL);
--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
