Bug 1299754

Summary: glibc: Bypass the pointer guarding protection on set-user-ID and set-group-ID executables (PTR_MANGLE)
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: arjun.is, ashankar, codonell, fweimer, jakub, law, mfabian, mnewsome, pfrankli, siddhesh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-19 08:54:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1276761, 1299755    
Bug Blocks:    

Description Huzaifa S. Sidhpurwala 2016-01-19 08:47:07 UTC
A weakness was found in the dynamic loader in glibc prior to 2.22.90. LD_POINTER_GUARD in the enivronment was not sanitized, allowing local attackers to bypass the pointer guarding protection on set-user-ID and set-group-ID executables.

This is a different security flaw then CVE-2013-4788, and only executables which dynamically link against glibc are affected.

This issue has been fixed upstream via the following commit:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7

External References:

http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html

Comment 1 Huzaifa S. Sidhpurwala 2016-01-19 08:47:51 UTC
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1299755]

Comment 2 Huzaifa S. Sidhpurwala 2016-01-19 08:51:50 UTC
CVE request:
http://www.openwall.com/lists/oss-security/2015/09/05/8

No CVE has been assigned by MITRE yet.

Comment 4 Florian Weimer 2016-02-08 10:30:31 UTC
This bug appears to be a duplicate of bug 1260581.