Bug 1526865 (CVE-2017-16997)

Summary: CVE-2017-16997 glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alanm, aoliva, arjun.is, ashankar, codonell, dj, fweimer, glibc-bugzilla, law, mfabian, mnewsome, pfrankli, rth, sfowler, siddhesh, slawomir
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: glibc 2.25.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:34:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1526866, 1540465, 1540480, 1849764    
Bug Blocks: 1526867    

Description Sam Fowler 2017-12-18 04:03:13 UTC 
Incorrect handling of RPATH (or RUNPATH) in elf/dl-load.c could be used to run executables with libraries loaded from the current directory. Executables with AT_SECURE or SETUID that contain '$ORIGIN' in RPATH/RUNPATH could be used to run arbitrary code and lead to escalation of privileges.

This vulnerability was introduced in glibc version 2.19.

References:
https://sourceware.org/bugzilla/show_bug.cgi?id=22625
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884615
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16997
Comment 1 Sam Fowler 2017-12-18 04:04:01 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1526866]
Comment 3 Huzaifa S. Sidhpurwala 2017-12-18 09:58:22 UTC 
Fedora version of glibc carries the following patch and therefore is not-vulnerable:

glibc-fedora-elf-ORIGIN.patch:

From 207e77fd3f0a94acdf0557608dd4f10ce0e0f22f Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab>
Date: Mon, 9 May 2011 10:55:58 +0200
Subject: [PATCH] Never leave $ORIGIN unexpanded
Comment 8 Huzaifa S. Sidhpurwala 2018-01-31 05:59:47 UTC 
This issue is addressed by the following upstream commit:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1998843fb78d9b3ebc0216757042ce4b00dd08a1
Comment 11 errata-xmlrpc 2018-10-30 07:36:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3092 https://access.redhat.com/errata/RHSA-2018:3092